Data Processing Policy

‍

In the present document, by “FARANDA HOTELS” it is understood:

1. The Society “GHS GLOBAL HOSPITALITY SERVICES S.A.S.”, identified with NIT 900657316-7, domiciled in Cartagena, Colombia.
2. Other companies that operate the FARANDA HOTELS brand (Grupo Hotelero Mar y Sol S.A.S., Casa La Factoria S.A.S., Club House Bogota S.A.S., Club House Bogota S.A.S., Club House Bogota S.A.S., Casa de la Mantilla S.A.S., Inversiones YASS, El Dorado Investment Foreign Branch, Bantu Hotel S.A.S., Hotel Operator Cali S.A.S., Casa Don Luis Hotel S.A.S., Casa Canabal Hotel Boutique S.A.S., Casinos and Services of the Caribbean S.A.S., Hotel Casinos and Services of the Caribbean S.A.S. Sol S.A.S., Hotel Boutique El Marques S.A.S., Hotelera El Panama S.A., Inversiones Fernández Espina Hermanos S.A., Grupo Caribe S.A., Complejo Hotelero Los Guayacanes S.A., Hotel Imperial Lagoon SA de CV, Operadora Celuisma Internacional SA de CV and those created after the publication of this Policy)
3. The hotels operated under the FARANDA HOTELS brand around the world (Hotel Caribe, Hotel Casa La Factoria, Hotel Faranda Collection Barranquilla, Hotel Faranda Collection Bogota, Hotel Faranda Belvedere, Hotel Casa la Matilla, Hotel Faranda Collection Medellín, Hotel Aloft, Faranda Hotel, Hotel Bantú, Hotel Faranda Collection Cali, Hotel Casa Don Luis, Hotel Casa Canabal, Hotel Bolívar Cucuta, Hotel Puerta del Sol, Hotel El Marques, Hotel El Panama by Faranda Grand, Hotel Faranda Express Soloy & Casino, Hotel Fariquanda Bbito Yes, Hotel Faranda Guayacanes — Chitré, Hotel Faranda Dos Playas Cancun, Hotel Faranda Imperial Laguna Cancun, Hotel Faranda Express Puerta del Sol Porlamar, Hotel Faranda Express Puerta del Sol Playa El Agua, Hotel Faranda Express Puerta del Sol, Hotel Faranda Collection Barranquilla, Hotel Faranda Collection Cali, Hotel Faranda Collection Bogota, Hotel Faranda Express Belvedere, Hotel Faranda Express Pathos Gijón, Faranda Express Marsol Candás, Hotel Faranda Alisas Santander, Faranda Los Tilos, Hotel Faranda Dos Playas Cancun, Caribbean Maya, Hotel Faranda Imperial Laguna Cancun, Hotel Faranda Express Torrelavega, Hotel Faranda Las Lomas, Hotel City of Ponferrada, Hotel Faranda Express Puerta del Sol Playa El Agua). This list of hotels is updated regularly and can be viewed on the following website: www.farandahotels.com   

The hotel that operates the FARANDA HOTELS brand may not be owned by the company “GHS GLOBAL HOSPITALITY SERVICES S.A.S.”. Most of the hotels operated under the FARANDA HOTELS brand operate independently or through the operator “GHS GLOBAL HOSPITALITY SERVICES S.A.S.”. For this reason, when a natural person has contact with FARANDA HOTELS, in their capacity as data controller, they undertake to process personal data in accordance with current law. In other words, each member of FARANDA HOTELS acts as data controller and pursues their own purposes.

In compliance with current regulations, this policy for the processing of personal data is adopted, which will be informed to all the owners of the data collected or that in the future are obtained in the exercise of their activities. In this way, we state that we guarantee the rights of privacy and privacy, in the processing of personal data, and consequently all your actions will be governed by the principles of legality, purpose, freedom, veracity or quality, transparency, access and restricted circulation, security and confidentiality. All people who, while carrying out different activities, whether permanent or occasional, will be able to provide any type of information or personal data, will be able to know, update and rectify it. This policy will apply to personal data recorded in any database, whose owner is a natural person.

Chapter I

Procedural Policies and Security

1. Legal basis and scope of application.

The purpose of the right to Data Protection is to allow all people to know, update and rectify the information that has been collected about them in files or databases.

When the Data Subject gives his consent for them to form part of a database of an institution, public or private, legal or natural, this is done through the person responsible for the processing of these data and acquires a series of obligations such as: to treat such data with security and caution, to ensure their integrity and to appear as an agency to whom the Data Controller can contact for the monitoring of the information and the control of it, being able to exercise the rights of inquiries and complaints.

Although the responsibility for data processing lies with the data controller, his competencies are embodied in the functions that correspond to his service personnel. The staff of the institution responsible for the treatment with direct or indirect access to the databases containing the personal data must be aware of the data protection regulations, the organization's data protection policy; and they must comply with the data security obligations corresponding to their functions and position.

To ensure compliance with their security obligations, data controllers appoint their legal representative as responsible for developing, coordinating, controlling and verifying compliance with the security measures contained in this manual.

This policy will apply to all personal data registered in databases that are subject to processing by the data controller and is addressed to all data users, who are both their own staff and external personnel of the data controller.

All users identified in this Security document are required to comply with the security measures established for data processing and are subject to the duty of confidentiality, even after the termination of their employment or professional relationship with the organization responsible for the treatment. The duty of confidentiality is formalized through the signing of a confidentiality agreement, signed between the user and the person responsible for the treatment.

2. Definitions.

• Authorized access: Authorization granted to a user for the use of certain resources. In automated devices, it is the result of correct authentication, usually through the entry of a user and password.
• Authentication: Procedure for verifying the identity of a user.
• Authorization: Prior, express and informed consent of the Owner to carry out the processing of personal data.
• Privacy Notice: Verbal or written communication generated by the person responsible, addressed to the Data Controller for the processing of their personal data, informing them of the existence of the information processing policies that will apply to them, the way to access them and the purposes of the intended processing of personal data.
• Database: Organized set of personal data that is subject to processing.
• Password: Secret password that allows access to previously inaccessible devices, information or databases. It is used for user authentication that allows authorized access.
• Access control: Mechanism that allows access to devices, information or databases through authentication.
• Backup copy: Copy the data from a database on a medium that allows it to be recovered.

• Personal data: Any information linked to or that can be associated with one or more specific or determinable natural persons.
• Public data: It is data that is not semi-private, private or sensitive. Public data are considered, among others, data relating to the civil status of individuals, their profession or profession and their capacity as a merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly enforceable court judgments that are not subject to reservation.
• Sensitive data: Sensitive data is understood to be those that affect the privacy of the Data Controller or whose misuse may lead to discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social or human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual life and biometric data.
• Responsible for the treatment: A natural or legal person, public or private, who, on their own or in association with others, processes personal data on behalf of the person responsible for the treatment.
• Identification: Process of recognizing the identity of users.
• Incidence: Any anomaly that affects or may affect data security, constituting a risk to the confidentiality, availability or integrity of the databases or the personal data they contain.
• User profile: Group of users to whom access is given.
• Protected resource: Any component of the information system, such as databases, programs, supports or equipment, used for the storage and processing of personal data.
• Security Officer: One or more persons designated by the data controller for the control and coordination of security measures.
• Information system: Set of databases, programs, supports and/or equipment used for the processing of personal data.

• Responsible for the treatment: A natural or legal person, public or private, who, on his own or in association with others, decides on the database and/or the processing of data.
• Support: Material on whose surface information is recorded or on which data can be saved or recovered, such as paper, video tape, CD, DVD, hard drive, etc.
• User: Subject authorized to access data or resources, or process that accesses data or resources without identifying a subject.
• Owner: Natural person whose personal data are being processed.
• Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
• Transfer: The transfer of data takes place when the person responsible and/or person in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the treatment and is inside or outside the country.
• Transmission: Processing of personal data that involves the communication of these within or outside the territory of the Republic of Colombia, when its purpose is to carry out processing by the person in charge on behalf of the person responsible.

3. Principles of data protection.

There are principles for the processing of personal data that must be applied, in a harmonious and comprehensive manner, in the development, interpretation and application of the Law. The legal principles of data protection are as follows:

Principle of legality.

Principle of purpose: The treatment must serve a legitimate purpose, which must be informed to the Data Controller.

Principle of freedom: The treatment can only be exercised with the prior, express and informed consent of the Data Controller. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate to reveal consent. The processing of data requires the prior and informed authorization of the Data Controller by any means that it can be consulted later, except in the following cases:

• Information required by a public or administrative entity in the exercise of its legal functions or by court order.
• Data of a public nature.
• Cases of medical or health emergencies.
• Information processing authorized by law for historical, statistical or scientific purposes.
• Data related to the Civil Registry of individuals.

Principle of veracity or quality: The information subject to treatment must be true, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractional or misleading data is prohibited.

Principle of transparency: In processing, the Data Controller's right to obtain information about the existence of data concerning him or her from the data controller or processor must be guaranteed at any time and without restrictions. At the time of requesting authorization from the owner, the data controller must clearly and expressly inform him of the following, keeping proof of compliance with this duty:

• The treatment to which your data will be submitted and the purpose of the same.
• The optional nature of the Owner's response to questions asked when they deal with sensitive data or data about children or adolescents.
• Your rights as a Data Controller.
• The identification, physical address, email and telephone number of the person responsible for the treatment.

Principle of restricted access and circulation: The processing is subject to the limits derived from the nature of the personal data. In this sense, the treatment may only be done by persons authorized by the owner and/or by the persons provided for by the Law. Personal data, with the exception of public information, may not be available on the internet and other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Owners or authorized third parties in accordance with the Law.

Safety principle: Information subject to processing by the data controller or processor must be handled with the technical, human and administrative measures that are necessary to provide security to the records, avoiding adulteration, loss, consultation, unauthorized or fraudulent use or access. The data controller is responsible for implementing the corresponding security measures and for informing all personnel who have direct or indirect access to the data. Users who access the data controller's information systems must know and comply with the rules and security measures that correspond to their functions. These rules and security measures are set out in this document, which are mandatory for all users and personnel of the data controller; any modification of the rules and measures regarding the security of personal data by the data controller must be brought to the attention of the users.

Principle of confidentiality: All persons involved in the processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks included in the processing, and may only provide or communicate personal data when this corresponds to the development of authorized activities.

4. Special categories of data.

4.1. Sensitive data.

Sensitive data are those that affect the privacy of the Data Controller or whose misuse may lead to discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social or human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties as well as data relating to health, sexual life and biometric data.

The processing of sensitive data is prohibited, except when:

• The Data Controller has given his explicit authorization to such treatment, except in cases where the granting of such authorization is not required by law.
• The processing is necessary to safeguard the vital interest of the Data Controller and the Data Controller is physically or legally incapacitated. At these events, legal representatives must grant their authorization.
• The processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that they refer exclusively to its members or to people who maintain regular contacts because of their purpose. In these events, the data cannot be provided to third parties without the authorization of the Owner.
• The treatment refers to data that is necessary for the recognition, exercise or defense of a right in a judicial proceeding.
• The treatment has a historical, statistical or scientific purpose. At this event, measures must be taken to suppress the identity of the Holders.

4.2. Children's and adolescents' rights

The processing of personal data of children and adolescents is prohibited, except when it comes to data of a public nature, and when such treatment meets the following requirements:

• That it is responsive to and respects the best interests of children and adolescents.
• That respect for their fundamental rights be ensured.

Once the above requirements have been met, the legal representative of the child or adolescent will grant prior authorization to the minor's exercise of their right to be heard, an opinion that will be evaluated taking into account their maturity, autonomy and ability to understand the matter.

It is the task of the State and educational entities of all kinds to provide information and train legal representatives and guardians on the possible risks faced by children and adolescents regarding the improper processing of their personal data, and to provide knowledge about the responsible and safe use by children and adolescents of their personal data, their right to privacy and protection of their personal information and that of others.

Every person responsible and processor involved in the processing of the personal data of children and adolescents must ensure their proper use, complying at all times with the principles and obligations. In any case, treatment will ensure respect for the prevailing rights of children and adolescents.

The rights of access, correction, deletion, revocation or complaint for infringement of the data of children and adolescents shall be exercised by persons who are empowered to represent them.

4.3 Rights of the Owners.

Data Subjects can exercise a number of rights in relation to the processing of their personal data. These rights may be exercised by the following persons.

• For the Owner, who must prove his identity sufficiently by the different means made available to him by the person responsible.
• Because of their causes, who must prove such quality.
• By the representative and/or proxy of the Owner, after accreditation of the representation or power of attorney.
• By stipulation in favor of another and for another.

The rights of children or adolescents shall be exercised by those who are empowered to represent them.

The rights of the Owner are as follows:

• Right of access or consultation: This is the right of the Data Controller to be informed by the data controller, upon request, regarding the origin, use and purpose they have given to their personal data.
• Rights to complaints and grievances. The Act distinguishes four types of claims:

• Correction Claim: the right of the Data Controller to have partial, inaccurate, incomplete, fractional or misleading data updated, rectified or modified, or those whose processing is expressly prohibited or has not been authorized.
• Deletion claim: the right of the Data Controller to have data deleted that is inadequate, excessive or that does not respect constitutional and legal principles, rights and guarantees.
• Revocation Claim: the right of the Data Controller to rescind the authorization previously given for the processing of their personal data.
• Infringement Claim: the right of the Data Controller to request that non-compliance with Data Protection regulations be remedied.

• Right to request proof of the authorization granted to the person responsible for the treatment. 
• Right to file complaints with Local Authorities for violations: the Data Controller or responsible party may only submit this complaint once they have exhausted the consultation or complaint procedure with the data controller or processor.
• Right to refrain from answering questions about sensitive data. Answers that relate to sensitive data or to data of minors will be optional.

‍

5. Authorization of the treatment policy.

For the processing of personal data, the prior and informed authorization of the Data Controller is required. By accepting this policy, any Data Controller who provides information relating to their personal data is consenting to the processing of their data by the data controller, in the terms and conditions set out therein.

The authorization of the Owner will not be necessary when it comes to:

• Information required by a public or administrative entity in the exercise of its legal functions or by court order.
• Data of a public nature.
• Cases of medical or health emergencies.
• Information processing authorized by law for historical, statistical or scientific purposes.
• Data related to the Civil Registry of individuals.

‍

Minors:

The personal data of minors they have special protection and therefore their processing is prohibited, except when it comes to data of a public nature, and when such treatment meets the following parameters and requirements:

• That it responds to and respects the best interests of children and adolescents.
• That respect for their fundamental rights be ensured.
• Once the above requirements have been met, the legal representative of the child or adolescent will grant authorization prior to the minor's exercise of their right to be heard, an opinion that will be evaluated taking into account their maturity, autonomy and capacity to understand the matter. Every person responsible and manager involved in the processing of the personal data of children and adolescents must ensure their appropriate use.

‍

6. Responsible for the treatment.

The person responsible for the processing of the databases, the subject of this policy, is FARANDA HOTELS.

6.1. The obligations of the data controller.

The security obligations of the personal data processed by the data controller are as follows:

• Coordinate and implement the security measures set out in this document.
• Disseminate the said document to the affected personnel.
• Keep this Manual updated and revised whenever there are significant changes in the information system, the treatment system, the organization of the institution, the content of the information in the databases, or as a result of the periodic checks carried out. In the same way, its content will be reviewed when there are any changes that may affect compliance with security measures.
• Designate one or more security officers and identify users authorized to access databases.
• Take care that access through computer systems and applications is carried out using identified access and password.
• Authorize, unless expressly delegated to authorized users identified in this Manual, the release of media outside the establishments where the databases are located; the input and output of information via network, through electronic or paper storage devices and the use of modems and data downloads.
• Check each 6 months the correct application of the backup and data recovery procedure.
• Ensure that there is a list of authorized users and user profiles
• Analyze, together with the corresponding security officer, the incidents recorded to establish appropriate corrective measures, at least every two months.
• Perform an audit, internal or external, to verify compliance with data protection security measures, at least every 6 months. 

‍

Duties of FARANDA HOTELS as responsible for the processing of personal data:

a. Guarantee the holder, at all times, the full and effective exercise of the right to habeas data.

b. Request and keep a copy of the respective authorization granted by the owner for the processing of personal data.

c. Duly inform the owner about the purpose of the collection and the rights granted to him by virtue of the authorization granted.

d. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.

and. Ensure that information is true, complete, accurate, up to date, verifiable and understandable.

f. Update the information in a timely manner, thus taking into account all the news regarding the owner's data. Additionally, all necessary measures must be implemented to keep the information up to date.

g. Rectify information when it is incorrect and communicate what is appropriate.

h. Respect the security and privacy conditions of the owner's information.

i. To process inquiries and complaints made in the terms indicated by law.

j. Identify when certain information is under discussion by the owner.

k. Inform at the request of the owner about the use given to their data.

l. Inform the data protection authority when there are violations of security codes and there are risks in the management of the information of the owners.

m. Comply with the requirements and instructions given by the Superintendency of Industry and Commerce on the particular subject.

n. Use only data whose processing is previously authorized.

or. Ensure the appropriate use of the personal data of children and adolescents, in those cases in which the processing of their data is authorized.

p. Record in the database the legends “pending claim” as regulated by law.

q. Insert in the database the legend “information under judicial discussion” once notified by the competent authority about judicial processes related to the quality of personal data.

r. Refrain from circulating information that is being controversial by the owner and whose blocking has been ordered by the Superintendency of Industry and Commerce

s. Allow access to information only to people who can access it.

t. Use the owner's personal data only for those purposes for which they are duly empowered and in any case in compliance with current regulations on the protection of personal data.

‍

7. Treatment and purposes of databases

FARANDA HOTELS, in carrying out its activities, processes personal data relating to natural persons that are contained and processed in databases intended for legitimate purposes.

FARANDA HOTELS may collect personal data, through different means (physical or digital). In any case, the collection will be done under the express authorization of the owner of the data and the processing of these will be subject to the provisions of the law.

In accordance with the authorizations issued by the owners of the information, EL FARANDA HOTELS will carry out operations or set of operations that include data collection, storage, use, circulation and/or deletion, and delivery of data to third parties as managers or managers; this in accordance with the agreement reached between the parties. This Data Processing will be carried out exclusively for the authorized purposes provided for in this Policy and in the specific authorizations granted by the owner. In the same way, Personal Data Processing will be carried out when there is a legal or contractual obligation to do so, always under the guidelines of the Information Security policies of the data controller, in all cases personal data may be processed for the purpose of carrying out control processes and internal and external audits and evaluations carried out by control bodies. Likewise, and in execution of the corporate purpose of the companies that make up FARANDA HOTELS, personal data will be processed in accordance with the interest group and in proportion to the purpose or purposes of each treatment, as described below:

The following table presents the different databases And the Purposes assigned to each of them:

Table I.

‍

Databases and purposes

EMPLOYEES, INTERNS, CANDIDATES FOR VACANCIES:

1. Manage and operate, directly or through third parties, personnel selection and engagement processes, including the evaluation and qualification of participants and the verification of work and personal references, the conduct of safety and background studies;
2. Develop activities related to human resources management, such as payroll, affiliations to entities of the general social security system, welfare and occupational health activities, exercise of the employer's sanctioning power, among others;
3. Make the necessary payments derived from the execution of the employment contract and/or its termination, and any other social benefits that may arise in accordance with applicable law;
4. Send all types of communications related to human resources activities and the administration of human personnel;
5. Take out employment benefits with third parties, such as life insurance, medical expenses, and others;
6. Notify authorized contacts in case of emergencies during working hours or during working hours;
7. Coordinate the professional development of employees, employee access to the Employer's computer resources and assist in their utilization;
8. Plan business activities;
9. Control access to offices and establish security measures;
10. Transfer and/or transmit the information collected in favor of its related companies in Colombia and abroad, and to national and foreign managers and/or managers, to third parties, when this is necessary for the development of their operations and payroll management (portfolio collection and administrative collections, treasury, accounting, among others);
11. Train your staff and send them communications of all kinds.
12. Use private and semi-private data for the purposes mentioned here. Sensitive data will be used for video surveillance and security.
13. Any other activity of a nature similar to those described above that are necessary to develop the corporate purpose.

‍

SUPPLIERS OF GOODS AND SERVICES

1. Collect, register, update and maintain your personal data for the purpose of informing, communicating, organizing, controlling, servicing, accrediting activities in relation to your status as a supplier and contractor of the company
2. Analyze financial, technical and any other aspects that allow the company to identify the supplier's compliance capacity.
3. Develop and apply selection processes, evaluation, preparation of responses to a request for information, prepare requests for quotation and proposal, and/or award of contracts.
4. Managing personal data to make payments to suppliers, including the administration of bank account numbers for the proper management of payments to be made by the company
5. Manage the SUPPLIER's data to carry out payment processes for invoices and collection accounts submitted to the company.
6. Comply with the obligations deriving from the commercial relationship established with THE SUPPLIER.
7. Require compliance with the obligations on the part of the SUPPLIER.
8. Assign physical and logical controls to computer and information facilities and assets owned by the company.
9. Manage and operate, directly or through third parties, the processes for selecting and linking SUPPLIERS, including evaluating and qualifying suppliers and verifying work and personal references, carrying out safety and background studies;
10. Develop human resources management activities within the Company, such as affiliations to entities of the general social security system and the like;
11. Make the necessary payments resulting from the execution of the service contract and/or its termination;
12. Send all types of communications related to the pre-contractual and contractual relationship with the supplier;
13. Notify authorized contacts in case of emergencies in the development of the provider's services;
14. Plan business activities;
15. Control access to the Company's offices and establish security measures;
16. Transfer and/or transmit the information collected in favor of its related companies in Colombia and abroad, and to national and foreign managers and/or managers, to third parties, when this is necessary for the development of their operations (portfolio collection and administrative collections, treasury, accounting, among others);
17. Register contractors and suppliers in the Company's systems and process their payments;
18. Train suppliers on Company policies;
19. Use private and semi-private data for the purposes mentioned here. Sensitive data will be used for video surveillance and security.
20. Any other activity of a nature similar to those described above that are necessary to carry out the Company's corporate purpose.

CUSTOMERS

1. Generate hotel and air reservations, as well as modifications, cancellations and changes and the associated refunds;
2. To comply with obligations contracted by the company with its customers when they purchase our services and products and, in particular, to manage matters related to their hotel registration and care during the stay (including nursing care);
3. Send information about changes in the conditions of the services and products offered by the company;
4. To provide personal safety.
5. Send information about offers related to the services and products offered by the company and its related companies;
6. Collect personal information through electronic means, such as web pages and social media portals, for the purpose of sending advertising to the customer for the Company's services and third parties related to the same sector.
7. Share personal data with third parties in the hotel sector, in order to send advertising for their services to the customer.
8. Manage payments, reservations, cancellations and other activities associated with the use of the benefits offered by the company;
9. Allow the owners to participate in marketing and promotional activities (including participation in contests, raffles and raffles), and to carry them out on social networks.
10. Facilitate the design and implementation of loyalty programs;
11. Evaluate the quality of the service, carry out market studies on consumer habits and statistical analysis for internal uses;
12. Carry out internal or external auditing processes specific to the commercial activity carried out by the company;
13. Manage goods and services provided by third parties for the proper development of the company's commercial activity, for example, air and land transport companies, providers of information hosting services, associated international partners, among others;
14. Allow companies linked to the company, with which it has concluded contracts that include provisions to ensure the security and adequate processing of the personal data processed, to contact the owner for the purpose of offering him goods or services of interest;
15. Control access to the Company's facilities and establish security measures, including the establishment of video-monitored areas;
16. Respond to queries, requests, complaints and claims that are made by the Data Controllers and to control bodies and other authorities that, by virtue of applicable law, must receive Personal Data;
17. Transfer and/or transmit the information collected in favor of its related companies in Colombia and abroad, and to national and foreign managers and/or managers, to third parties, when this is necessary for the development of their operations (portfolio collection and administrative collections, treasury, accounting, marketing, sending promotions, among others);
18. Use the different services corresponding to websites, including downloads of content and formats;
19. Record your personal data in the company's information systems and in its commercial and operational databases;
20. Use private and semi-private data for the purposes mentioned here. Sensitive data will be used for video surveillance and security.
21. Any other activity of a nature similar to those described above that are necessary to carry out the Company's corporate purpose.

SHAREHOLDERS AND DIRECTORS OF THE COMPANY

The personal data of the shareholders and members of the company's Board of Directors are recorded in the company's shareholder books and physical and/or digital file or folder. This type of information is legally required to be reserved. The processing of personal data of shareholders and members of the company's Board of Directors will be carried out in accordance with the provisions of the Commercial Code and other similar regulations or regulations governing this matter. The purposes that will apply to the personal data of shareholders and members of the Board of Directors will be the following:

1. Background check.
2. Send communications and calls on company matters, assembly meetings and board of directors.
3. Process fee payments and the like.
4. Make reports to supervisory bodies and public authorities.
5. Guarantee the duties and rights that derive from the status of shareholders and members of the Board of Directors.
6. Collect, record and update the personal data of shareholders and members of the Board of Directors for the purpose of informing the activities carried out by the company, in relation to their status as shareholder and member of the Board of Directors.
7. Use private and semi-private data for the purposes mentioned here, to the extent permitted by law.
8. Any other activity of a nature similar to those described above that are necessary to carry out the Company's corporate purpose.

‍

7.1 Attention to Data Subjects

Every customer has the right to obtain information and to access their collected personal data, subject to applicable legal provisions. You also have the rights to rectify, delete and limit the processing of your data. In addition, the customer has the right to data portability and to define instructions for their treatment after their death. You can even object to the processing of your data.

If you would like to exercise any of these rights, please contact directly “GHS GLOBAL HOSPITALITY SERVICES S.A.S.”, via email at the address habeasdata@farandahotels.com

In order to ensure the confidentiality and protection of your personal data, we must identify you to respond to your request. To this end, if there is any reasonable doubt about your identity, we will ask you to attach a copy of an official identity document to support your request.

All requests will be processed as soon as possible and in accordance with applicable law.

You can also exercise your rights with respect to personal data held and processed by a hotel in its capacity as data controller. To do this, you must contact the hotel in question directly. You will find all the information you need to contact a hotel on the following website: www.farandahotels.com For assistance during these processes, type habeasdata@farandahotels.com

8. Procedures for exercising the rights of the Owner.

8.1. Right of access or consultation.

The Data Controller may consult your personal data free of charge in two cases:

• At least once every calendar month.
• Every time there are substantial changes to the information processing policies that motivate new inquiries.

For inquiries whose frequency is greater than one for each calendar month, the data controller may only charge the Data Controller for shipping, reproduction and, where appropriate, document certification costs. The reproduction costs cannot exceed the costs of recovering the corresponding material. For this purpose, the person responsible must demonstrate to the Superintendency of Industry and Commerce, when it so requires, the support of such expenses.

The Data Subject may exercise the right to access or consult their data by writing to the email address habeasdata@farandahotels.com, indicating in the subject “exercise of the right of access or consultation” the request must contain the following data:

• Name and surname of the Owner.
• Photocopy of the Holder's Citizenship Certificate and, where appropriate, of the person who represents him, as well as of the document accrediting such representation.
• Request specifying the request for access or consultation.
• Address for notifications, date and signature of the applicant.
• Documents supporting the request made, when appropriate.

The Owner may choose one of the following forms of consulting the database to receive the requested information:

• On-screen display.
• In writing, with a copy or photocopy sent by certified mail or not.
• Email or other electronic media.
• Another system suitable for the configuration of the database or the nature of the treatment, offered by the person responsible for the treatment.

Once the request has been received, the data controller will resolve the request for consultation within a maximum period of ten (10) business days from the date of receipt of the request. When it is not possible to respond to the query within that deadline, the interested party will be informed, stating the reasons for the delay and stating the date on which their query will be answered, which in no case may exceed five (5) business days following the expiration of the first term. These deadlines are set out in Article 14 of the LEPD.

Once the consultation process has been exhausted, the Owner or the responsible party may file a complaint with the local authority.

8.2. Rights to complaints and grievances.

The Data Subject can exercise the rights to complain about their data, by writing to the email habeasdata@farandahotels.com, indicating in the subject “exercise of the right complaint or complaint”, the request must contain the following information:

• Name and surname of the Owner.
• Photocopy of the Holder's Citizenship Certificate and, where appropriate, of the person who represents him, as well as of the document accrediting such representation.
• Description of the facts and request specifying the request for correction, deletion, revocation or inflation.
• Address for notifications, date and signature of the applicant.
• Documents supporting the request made that you want to assert, when appropriate.

If the claim is incomplete, the interested party will be required within five (5) days of receiving the complaint to remedy the flaws. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has withdrawn the claim.

Once the complete claim has been received, a legend that says “pending claim” and the reason for the claim will be included in the database, in a term not exceeding two (2) business days. This legend must be kept until the claim is decided.

The data controller will resolve the request for consultation within a maximum period of fifteen (15) business days from the date of receipt of the request. When it is not possible to respond to the claim within that period, the interested party will be informed of the reasons for the delay and the date on which their claim will be dealt with, which in no case may exceed eight (8) business days following the expiration of the first term.

Once the complaint process has been exhausted, the Owner or the responsible party may file a complaint with the Superintendency of Industry and Commerce.

9. Safety measures

FARANDA HOTELS, in order to comply with the principle of security, has implemented technical, human and administrative measures necessary to guarantee the security of records, avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access.

On the other hand, EL FARANDA HOTELS, by subscribing to the corresponding transmission contracts, has required the those in charge of the treatment with whom it works to implement the necessary security measures, to guarantee the security and confidentiality of information in the processing of personal data.

The following are set out the security measures implemented by FARANDA HOTELS, which are collected and developed in this document (Tables II, III, IV and V).

‍

Table II.

Common security measures for all types of data (public, semi-private,

private, sensitive) and databases (automated, not automated)

‍

Audit

Regular auditing (internal or external) each 6 months. 

Possible extraordinary audits for substantial changes in information systems

Deficiency detection report and proposed corrections

Analysis and conclusions of the security officer and the data controller.

Preservation of the Report at the disposal of the authority

Document and media management

Measures such as, paper shredder that prevent improper access or recovery of data that has been discarded, deleted or destroyed.

Restricted access to the place where the data is stored

Labeling system o identification of the type of information

Inventory of the media on which databases are stored

Authorization of the person responsible for the output of documents or supports by physical or electronic means

Access control

Limited user access to the data necessary for the performance of their functions, according to the role they play.

Updated list of authorized users and accesses

Written authorization from the owner of the information for the delivery of their data to third parties, to prevent access to data with rights other than those authorized.

Granting, alteration or cancellation of permissions by authorized personnel

Incidents

Incident log: type of incident, time at which it occurred, issuer of the notification, recipient of the notification, effects and corrective measures.

Incident notification and management procedure

Personal

Definition of the roles and obligations of users with access to data

Definition of the control functions and authorizations delegated by the data controller

Disclosure to staff of the rules and the consequences of non-compliance with them

Policies and Procedures

Preparation and implementation of the Mandatory Compliance Manual for Staff

Minimum content: scope of application, security measures and procedures, staff functions and obligations, description of databases, incident response procedures, data copy and recovery procedure, security measures for the transport, destruction and reuse of documents, identification of treatment orders

‍

Table III.

Common security measures for all types of data

(public, semi-private, private, sensitive) depending on the type of databases

‍

Non-automated databases

Automated databases

Archive

Document storage

Custody of documents

Identification and Authentication

Telecommunications

1. Documentation archive, following procedures that ensure proper conservation, location and consultation and exercise of the rights of the Owners.

1. Storage devices with mechanisms that prevent access to unauthorized persons.

1. Duty of care and custody of the person in charge of documents, during their review or processing.

1. Personalized identification of users to access information systems and verify their authorization.

2. Identification and authentication mechanisms; Passwords: assignment, expiration and encrypted storage.

1. Access to data through secure networks.

‍

Table IV.

Data security measures

depending on the type of databases

‍

Automated and non-automated databases

Auditing

Security Officer

Habeas Data Policies and Procedures

• Ordinary audit (internal or external) every 6 months.

• Possible extraordinary audits due to substantial changes in information systems.

• Deficiency detection report and proposed corrections.
• Analysis and conclusions of the security officer and the data controller.
• Preservation of the Report at the disposal of the authority.

• Appointment of one or more security officers.
  

• Appointment of one or more people responsible for the control and coordination of the measures in the Manual, policies and procedures.
  

• Prohibition of delegation of the responsibility of the data controller to the security manager.
  

• Compliance checks at least once a year, consisting of auditing every 6 months, as well as training minimum staff once a year.

Automated databases

Document and media management

Access control

Identification and authentication

Incidents

∙ Registration of input and output of documents and supports: date, issuer and receiver, number, type, information, form of shipment, responsible for receiving or delivering.

∙ Access control to the place or places where information systems are located.

∙ Mechanism that limits the number of repeated unauthorized access attempts.

∙ Record of data recovery procedures, person who executes them, restored data and manually recorded data.

•Authorization of the data controller for the execution of recovery procedures.

‍

Table V.

Data security measures

depending on the type of databases

‍

Non-automated databases

Access control

Document storage

Copy or reproduction

Transfer of documentation

• Access for authorized personnel only.
• Access identification mechanism.
• Record of unauthorized user access.

• File cabinets, cabinets or others located in areas

protected with keys or other measures.

• Only by authorized users.
• Destruction that prevents access or recovery of data.

• Measures that prevent access or manipulation of documents.

‍

Automated databases

Management of documents and supports

Access control

Telecommunications

• Confidential labeling system.
• Data encryption.
• Encryption of portable devices when they are removed.

• Access log: user, time, database you access, type of access, record you access.
• Control of the access log by the security officer. Monthly report.
• Data retention: for as long as the laws require.

• Data transmission through encrypted electronic networks.

‍

9.1. Security officers 

Security officers have the following functions:

• Coordinate and control the implementation of security measures, and collaborate with the responsible for the treatment In the diffusion of this Policy and Manual.
• Coordinate and control the mechanisms that allow access to the information contained in the databases and to develop a periodic report about that control.
• Manage access permissions to data from authorized users identified in this manual.
• Enable the Incident log to all users to report and record incidents related to data security; as well as to agree with the data controller on corrective measures and record them.
• Periodically check the validity and validity of the list of authorized users, the existence and validity of backup copies for data recovery, the updating of this manual and compliance with measures related to data inputs and outputs.
• Define the times within which the audits will be carried out, which cannot exceed one year.
• Receive and analyze the audit report to raise its conclusions and propose corrective measures to the data controller.
• Manage and control the entry and exit records of documents or media containing personal data.

‍

9.2. Users

All persons involved in the storage, processing, consultation or any other activity related to the personal data and information systems of the data controller must act in accordance with the functions and obligations set out in this section.

The person responsible for the treatment complies with the duty to provide information with the inclusion of confidentiality agreements and duty of secrecy that are subscribed, where appropriate, by users of identification systems on databases and information systems, and through a informational circular addressed to them.

The functions and obligations of the data controller's staff are generally defined according to the type of activity they carry out in accordance with their functions within the institution and, specifically, by the content of this Manual. The list of users and profiles with access to protected resources are included in this document.

In general, when a user deals with documents or media containing personal data, he has a duty to guard them, as well as to monitor and control that unauthorized persons cannot access them.

Failure to comply with the obligations and security measures established in this Habeas Data Policy and Procedures Document by personnel at the service of the data controller is punishable in accordance with the regulations applicable to the existing legal relationship.

The functions and obligations of users of the personal databases under the responsibility of the data controller are the following:

• Duty of secrecy: It applies to all people who, in the course of their profession or work, access personal databases and link both users and contracted service providers; in compliance with this duty, users of the data controller cannot communicate or disclose to third parties, data that they handle or that they are aware of in the performance or position of their functions, and must ensure their confidentiality and integrity.

‍

• Control functions and delegated authorizations: the data controller may delegate the processing of data to third parties, to act as a data processor, through a transmission contract of data.

‍

• Obligations related to the security measures implemented:

• Access databases only with proper authorization and when necessary for the exercise of their functions.
• Do not disclose information to third parties or unauthorized users.
• Observe safety regulations and work to improve them.
• Do not perform actions that pose a danger to information security.
• Do not remove information from the organization's facilities without proper authorization.

‍

• Use of resources and work materials: should be oriented to the exercise of the assigned functions. The use of these resources and materials for personal purposes or other than the tasks corresponding to the job is not authorized. When, for justified work reasons, it is necessary to leave peripheral or removable devices, you must contact the corresponding security officer who can authorize it and, if necessary, record it.

‍

• Using printers, scanners, and other copy devices: When using this type of device, copies must be collected immediately, avoiding leaving them in their trays.

‍

• Obligation to report incidents: Users have the obligation to report incidents of which they are aware of to the appropriate security officer, who will be responsible for their management and resolution. Some examples of incidents are: the fall of the computer security system that allows access to personal data to unauthorized persons, the unauthorized attempt to output a document or medium, the loss of data or the total or partial destruction of media, the change of physical location of databases, the knowledge by third parties of passwords, the modification of data by unauthorized personnel, etc.

‍

• Duty of custody of the supports used: obliges the authorized user to monitor and control that unauthorized persons access the information contained in the media. Media that contain databases must identify the type of information they contain by means of a labeling system And to be inventoried.

‍

• Responsibility for work terminals and laptops: each user is responsible for their own work terminal; when they are absent from their position, they must lock that terminal (e.g. screen protector with password) to prevent viewing or accessing the information it contains; and they have the duty to turn off the terminal at the end of the working day. In addition, laptop computers must be controlled at all times to avoid loss or theft.

‍

• Limited use of the Internet and email: The sending of information electronically and the use of the Internet by staff is limited to the performance of their activities.

‍

• Safeguarding and protecting passwords: The passwords provided to users are personal and non-transferable, so their disclosure or communication to unauthorized persons is prohibited. When the user logs in for the first time with the assigned password, it is necessary to change it. When it is necessary to restore the password, the user must report this to the system administrator.

‍

• Backup copies and data recovery: all information must be backed up in the institution's personal databases.

‍

• Duty to archive and manage documents and supports: Documents and supports must be properly archived with the security measures set out in this manual.

10. Transfer of data to third countries.

The transfer of personal data to countries that do not provide adequate levels of data protection is prohibited. This prohibition will not apply when it comes to:

• Information for which the Owner has granted his express and unambiguous authorization for the transfer.
• Exchange of medical data, when required by the Data Controller's treatment for reasons of health or public hygiene.
• Bank or stock transfers, in accordance with the legislation that is applicable to them.
• Transfers agreed within the framework of international treaties, based on the principle of reciprocity.
• Transfers necessary for the execution of a contract between the Data Controller and the data controller, or for the execution of pre-contractual measures provided that there is the authorization of the Data Controller.
• Legally required transfers for the safeguarding of the public interest, or for the recognition, exercise or defense of a right in a judicial proceeding.

In cases not considered as an exception, it will be up to the Local Authority to issue the declaration of conformity relating to the international transfer of personal data.

International transfers of personal data that are carried out between a controller and a processor to allow the processor to carry out the processing on behalf of the person responsible, will not require the Data Controller to be informed or to have his consent, provided that there is a transmission contract of personal data.

‍

CHAPTER II
OF SECURITY MEASURES

1. Compliance and updating.

This is an internal document that is mandatory for all FARANDA HOTELS staff, with access to information systems containing personal data.

This Habeas Data Policies and Procedures manual must be subject to permanent revision and updating whenever there are changes in the information systems, the treatment system, the organization or the content of the information in the databases, which may affect the security measures implemented. In addition, the manual must be adapted at all times to the legal regulations on the security of personal data.

2. Safety measures.

The databases are accessible only by the persons designated by the person responsible for the treatment, and referred to in the Numeral 12 of this document.

Those responsible for security, indicated in the Numeral 12 of this manual, they are responsible for managing access permissions to users, the assignment and distribution procedure that guarantees the confidentiality, integrity and storage of passwords, during their validity, as well as the frequency with which they are changed.

The security measures implemented by the data controller are listed and detailed below.

2.1 Common Security Measures.

2.1.1 Management of documents and supports.

The documents and media on which the databases are located are determined in the inventory of documents and supports.

Those responsible for monitoring and controlling that unauthorized persons cannot access documents and supports containing personal data are the users authorized to access them. Authorized users are referred to in the Numeral 12 on databases and information systems in this manual.

Documents and supports must classify the data according to the type of information they contain, be inventoried and be accessible only by authorized personnel, unless their characteristics make the mentioned identification impossible, in which case a reasoned record will be left in the registration of entry and exit of documents and in this manual.

The release of documents and media containing personal data outside the premises that are under the control of the data controller must be authorized by the latter. This precept also applies to documents or supports attached and sent by email.

El document inventory and supports of the person responsible for the treatment, must be included as an annex to this manual.

3. Access control.

The data controller's staff should only access those data and resources necessary for the performance of their functions and for which they are authorized by the data controller in this manual.

The data controller is responsible for storing an updated list of users, user profiles, and the authorized accesses for each of them. In addition, it has mechanisms to prevent access to data with rights other than those authorized. In the case of computer media, it may consist of assigning passwords, and in the case of documents, in the delivery of keys or mechanisms for opening storage devices where the documentation is archived.

The modification of any data or information, as well as the granting, alteration, inclusion or cancellation of authorized access and of the users included in the updated list mentioned in the previous paragraph, corresponds exclusively to authorized personnel.

Any personnel outside the data controller who, in an authorized and legal manner, have access to protected resources, will be subject to the same conditions and will have the same security obligations as their own personnel.

The users authorized to access the databases are established in the Numeral 6 of this manual.

3.1 Execution of treatment outside the institution.

The storage of personal data of the data controller or processor on portable devices and their processing outside the natural workplace requires prior authorization from the data controller, and compliance with the security guarantees corresponding to the processing of this type of data.

3.2 Temporary databases, copies and reproductions.

Temporary databases or copies of documents created for temporary or ancillary work must meet the same level of security as the original databases or documents. Once they are no longer needed, these temporary databases or copies are deleted or destroyed, thus preventing access to or retrieving the information they contain.

Only authorized personnel in the Numeral 12 you can make copies or reproduce the documents.

3.3 Security Officer.

In accordance with data protection regulations, the appointment of security officers does not exempt the data controller or processor from liability.

4. Auditing.

Databases containing personal data, subject to processing by the data controller, classified with sensitive or private security level, must be audited every 6 months, this can be an internal or external audit that verifies compliance with the security measures contained in this manual.

Both information systems and data storage and processing facilities will be audited.

The data controller will carry out an extraordinary audit whenever substantial modifications are made to the information system that may affect compliance with security measures, in order to verify their adaptation, appropriateness and effectiveness.

The audits will conclude with an audit report that will contain:

• The opinion on the adaptation of measures and controls to data protection regulations.
• The identification of the deficiencies found and the suggestion of necessary corrective or complementary measures.
• The description of the data, facts and observations on which the proposed opinions and recommendations are based.

El head of security If appropriate, he will study the report and transfer the conclusions to the responsible for the treatment to implement corrective measures. The audit reports will be attached to this manual and will be available to the Supervisory Authority.

5. Security measures for non-automated databases.

5.1 File of documents.

The data controller establishes the criteria and procedures for action that must be used for the filing of documents containing personal data in accordance with the Law. The archiving criteria guarantee the conservation, location and consultation of documents and make possible the rights of consultation and complaint of the Holders. These criteria and procedures are set out in the Numeral 12 of this manual.

It is recommended that documents be archived considering, among others, criteria such as the degree of use of users with authorized access to them, the current nature of their management and/or treatment, and the distinction between historical databases and those of administration or management of the institution.

Document storage devices must have keys or other mechanisms that make it difficult to open them, except when their physical characteristics prevent it, in which case the data controller will take the necessary measures to prevent access by unauthorized persons.

When documents containing personal data are being reviewed or processed and, therefore, outside the storage devices, either before or after they are archived, the person in charge of them must guard them and in any case prevent unauthorized persons from accessing them.

Storage devices that contain documents containing personal data classified with sensitive level of security, they must be in areas or rooms where access is protected by access doors with key opening systems or other similar mechanisms. These areas should remain closed when access to such documents is not required. If it is not possible to comply with the above, the data controller may adopt duly motivated alternative measures that will be included in this document.

The description of storage security measures are found collected in the Numerals 6 and 7 of this document.

6. Access to documents.

Access to documents must be made exclusively by authorized personnel in the Numeral 12 of the manual, following the defined mechanisms and procedures. The latter must identify and keep the accesses made to the classified documentation.

The procedure for accessing documents containing data involves the registration of accesses to documentation, the identity of the person accessing it, the time at which the access occurred and the documents that were accessed. Access to documents with this type of data is carried out by authorized personnel; if it is done by unauthorized persons it must be supervised by an authorized user or by the security officer in question.

7. Security measures for automated databases.

7.1 Identification and Authentication.

The data controller must install a computer security system that allows users of information systems to be correctly identified and authenticated, in order to ensure that only authorized personnel can access the databases.

It must also establish a mechanism that allows the personalized and unambiguous identification of any user who tries to access the information system and who verifies if they are authorized. The identification must be carried out using a unique system for each user who accesses the information taking into account the username, the employee identification, the name of the department, etc.

When the authentication system is based on the introduction of passwords, a procedure must be implemented for assigning, distributing and storing passwords; to ensure the integrity and confidentiality of the latter, it is recommended that they have a minimum of eight characters and contain uppercase, lowercase letters, numbers and letters.

On the other hand, the data controller must ensure that passwords are changed periodically, never for longer than 365 days.

The data controller also guarantees automated, internal storage and encryption of passwords while they are in effect, and will adopt a mechanism to limit repeated attempts at unauthorized access.

8. Entry and exit of documents or media

The entry of documents or supports must be registered indicating the type of document or medium, the date and time, the issuer, the number of documents or supports included in the shipment, the type of information they contain according to the level of security, the form of shipment and the person responsible for receiving them. The output or shipment of documents or supports, duly authorized, must be registered indicating the type of document or medium, the date and time, the receiver, the number of documents or supports included in the shipment, the type of information they contain according to the level of security, the form of shipment and the person responsible for the shipment.

El check-in and check-out system, should be attached to the present document.

The facilities of the data controller are home to the information systems that contain personal data, which must be duly protected in order to guarantee the integrity and confidentiality of such data; likewise, they must comply with the physical security measures corresponding to the document or medium where the data is included.

The data controller has the duty to inform their staff of their obligations in order to physically protect the documents or supports on which the databases are located, not allowing them to be handled, used or identified by persons not authorized in this manual.

Only authorized personnel can access the places where the equipment that supports information systems is installed.

9. Backup copies and data recovery.

The data controller will carry out the necessary action procedures to make backup copies, at least once a month, except when there has been no update to the data during that period. All databases must have a backup copy from which data can be recovered.

In the same way, it has established procedures for the recovery of data with the objective of ensuring at all times the reconstruction to the state in which they were, before their loss or destruction. When the loss or destruction affects partially automated databases, the data will be recorded manually, leaving a record of this in this manual.

The person responsible for the treatment will be responsible for monitoring the proper functioning and application of the procedures for making backup copies and recovering the data each 6 months.

FARANDA HOTELS must keep a backup copy of the data and of the data recovery procedures, in a different place than where the equipment where the processing is carried out are located. This place must, in any case, comply with the same security measures required for the original data.

10. Access log.

Attempts to access the information systems of the data controller must keep, at a minimum, the identification of the user, the date and time it was carried out, the database accessed, the type of access and whether that access has been authorized or unauthorized. If the registration has been authorized, the information that makes it possible to identify the record consulted is saved.

The security managers of automated databases are responsible for controlling the mechanisms that allow the registration of access, reviewing the registered control information on a monthly basis and preparing a report of the revisions carried out and the problems detected. In addition, they must prevent the manipulation or deactivation of the mechanisms that allow access registration.

The data contained in the access record must be kept for at least two years.

Access registration will not be necessary, when the person responsible for the treatment is a natural person and guarantees that only he has access to and processes personal data.

Access to personal data through communication networks, public or private, must be subject to security measures equivalent to local access to personal data.

The transmission or transfer of personal data through public or wireless electronic communication networks must be carried out by encrypting such data, or using another similar mechanism to ensure that the information is not intelligible or manipulated by third parties.

11. Staff roles and obligations

All persons involved in the storage, processing, consultation or any other activity related to personal data and information systems must act in accordance with the functions and obligations set out in this section.

FARANDA HOTELS must inform its service personnel of the security measures and regulations required to carry out their functions, as well as of the consequences of their non-compliance, through any means of communication that guarantees their reception or dissemination (email, bulletin board, etc.). In the same way, you must make this Habeas Data Policies and Procedures document available to staff so that they can know the security regulations and their obligations in this area depending on the position they hold.

FARANDA HOTELS complies with its duty to provide information with its inclusion of confidentiality agreements And a duty of secrecy subscribed, where appropriate, by the users of identification systems referred to in the Numeral 12 on databases and information systems, and through a informational circular addressed to them.

The functions and obligations of FARANDA HOTELS staff are generally defined according to the type of activity they carry out within the institution, specifically, by the content of this manual. The list of users and profiles with access to protected resources is included in the Numeral 12 on databases and information systems. In general, when a user deals with documents or media containing personal data, he has a duty to guard them, as well as to monitor and control that unauthorized persons cannot access them.

Failure to comply with the obligations and security measures established in this manual by personnel at the service of the data controller is punishable in accordance with the regulations applicable to the existing legal relationship between the parties.

The functions and obligations of users of personal databases, under the responsibility of the data controller, are as follows:

• Duty of secrecy: Applies to all people who, in the development of their profession or work, access personal databases and link both users and contracted service providers; in compliance with this duty, users of the organization cannot communicate or disclose to third parties, data that they handle or are aware of in the performance or position of their functions, and must ensure their confidentiality and integrity.
• Control functions and delegated authorizations: The data controller may delegate the processing of data to third parties, to act as a data processor, through a data transmission contract. When data transfer contracts are signed, these will be attached to this manual.

Obligations related to security measures implanted:

• Access databases only with proper authorization and when necessary for the exercise of their functions.
• Do not disclose information to third parties or unauthorized users.
  Observe safety regulations and work to improve them.
• Do not perform actions that pose a danger to information security.
• Do not extract information from the organization's facilities without proper authorization.
• Use of resources and work materials: it must be oriented to the exercise of the assigned functions.
• The use of these resources and materials for personal purposes or other than the tasks corresponding to the job is not authorized. When, for justified work reasons, it is necessary to leave peripheral or removable devices, you must notify the security officers who can authorize it and, if necessary, record it.
• Use of printers, scanners and other copying devices: when using these types of devices, copies must be collected immediately, avoiding leaving them in their trays.
• Obligation to report incidents: users have the obligation to report incidents of which they are aware of to security officers, who will be responsible for its management and resolution. Some examples of incidents are: the fall of the computer security system that allows access to personal data to unauthorized persons, the unauthorized attempt to output a document or medium, the loss of data or the total or partial destruction of media, the change of physical location of databases, the knowledge by third parties of passwords, the modification of data by unauthorized personnel, etc.
• Duty of custody of the media used: obliges the authorized user to monitor and control that unauthorized persons access the information contained in the media. Media that contain databases must identify the type of information they contain by means of a labeling system And to be inventoried.
• Responsibility for work terminals and laptops: Each user is responsible for their own work terminal; when they are absent from their position, they must lock that terminal (e.g. screen protector with password) to prevent viewing or accessing the information it contains; and they have the duty to turn off the terminal at the end of the working day. In addition, laptop computers must be controlled at all times to avoid loss or theft.
• Limited use of the Internet and email: The sending of information electronically and the use of the Internet by staff is limited to the performance of their activities.
• Safeguarding and protecting passwords: Passwords provided to users are personal and non-transferable, so their disclosure or communication to unauthorized persons is prohibited. When the user logs in for the first time with the assigned password, it is necessary to change it. When it is necessary to restore the password, the user must report this to the system administrator.
• Backup copies and data recovery: All personal database information owned by the data controller must be backed up.
• Duty to archive and manage documents and supports: Documents and supports must be properly archived, with the security measures established in this chapter.

12. Databases and information systems.

The databases stored and processed by FARANDA HOTELS are listed in the following table (Table I), which indicates the level of security and the treatment system of each of them.

Table I. Databases and Security Level

Databases

Security Level

Employees, interns, candidates for vacancies

Medio

Databases

Security Level

Providers of goods and services

Medio

Databases

Security Level

Customers

Medio

Databases

Security Level

Shareholders and Directors

tall

CLASSIFICATION

REMARKS

LEVEL OF PROTECTION

PROFILE

Confidential

Company information, access to information systems, access to Shareholder and Administrator databases, operating manuals, control configuration, protection and security systems, and law enforcement information.

tall

LEVEL 1

Restricted

Access to the following databases: Employees, interns, candidates for vacancies/Providers of goods and services/Customers/that should only be accessed by authorized personnel, with the prior authorization of the owner of the process.

Medio

LEVEL 2

‍

The following table (Table II) shows the structure of the FARANDA HOTELS databases:

Table II. Structure of Databases

‍

Name of the database

Employees, interns, candidates for vacancies

Responsible for the treatment

FARANDA HOTELS

Responsible for inquiries and complaints

Legal representative

Type of data

Basic, private, semi-private and sensitive

Physical access control

Authorized Users

Logical access control

Users and passwords

Backup copies

Monthly

‍

Name of the database

Providers of goods and services

Responsible for the treatment

FARANDA HOTELS

Responsible for inquiries and complaints

Legal representative

Type of data

Basic, private, semi-private and sensitive

Physical access control

Authorized Users

Logical access control

Users and passwords

Backup copies

monthly

‍

Name of the database

Customers

Responsible for the treatment

FARANDA HOTELS

Responsible for inquiries and complaints

Legal representative

Type of data

Basic, private, semi-private and sensitive

Physical access control

Authorized Users

Logical access control

Users and passwords

Backup copies

Monthly

‍

Name of the database

Shareholders and Directors

Responsible for the treatment

FARANDA HOTELS

Responsible for inquiries and complaints

Legal representative

Type of data

Basic, private, semi-private and sensitive

Physical access control

Authorized Users

Logical access control

Users and passwords

Backup copies

Monthly

El appointment of security officers, does not exempt the controller or the processor from their obligations.

When it exists transmission contract of data, the those in charge of the treatment will be identified in the Registration of data transmission contracts of this document. Data processors must fulfill the functions and obligations related to the security measures set out in this manual.

12.1 Procedure for notification, management and response to incidents

FARANDA HOTELS establishes a notification, management and response procedure for incidences in order to guarantee the confidentiality, availability and integrity of the information contained in the databases under your responsibility.

All users and those responsible for procedures, as well as anyone who has a relationship with the storage, processing or consultation of the databases contained in this document, must know the procedure to act in the event of an incident.

The procedure for notifying, managing and responding to incidents is as follows:

• When a person becomes aware of an incident that affects or may affect the confidentiality, availability and integrity of the institution's protected information, they must immediately report it to security officers, describing in detail the type of incident that occurred, and indicating the people who may have been related to the incident, the date and time when it occurred, the person who reports the incident, the person to whom it is reported and the effects it has produced.
• Once the incident has been reported, you must request the head of security corresponding to an acknowledgment of receipt stating the notification of the incident, with all the requirements listed above.

FARANDA HOTELS creates a Incident log which must contain: the type of incident, date and time of the incident, the person who notifies it, the person to whom it is being reported, the effects of the incident and corrective measures where appropriate. This record is managed by the head of security of the database and should be included as an annex to this manual.

In addition, it must implement the procedures for data recovery, indicating who executes the process, the restored data and, where appropriate, the data that has required to be recorded manually in the recovery process.

12.2 Report

All incidents and suspicious events must be reported as soon as possible, through established internal channels; If sensitive or confidential information is lost, disclosed to unauthorized personnel or any of these events are suspected, the person responsible for the information must be notified immediately. Officials must report to their Direct boss and/or to Personal Data Protection Officer, any damage or loss of computers or any other device, when they contain personal data held by the Entity. Unless there is a duly reasoned and justified request from the competent authority, no official should disclose information about computer systems and networks that have been affected by a computer crime or system abuse. For the delivery of information or data pursuant to an order of authority, the Legal Advisory Office you must intervene in order to provide appropriate advice.

The person responsible for the information must ensure that actions are taken to investigate and diagnose the causes that generated the incident, as well as must ensure that the entire incident management process is properly documented, supported by the Technology and Information Technology Office.

13. Measures for the transport, destruction and reuse of documents and supports.

When it is appropriate to discard any document (original, copy or reproduction) or medium containing personal data, it must be destroyed or erased, through the implementation of measures aimed at preventing access to or recovery of the information contained in said document or medium.

Before starting the destruction, a record will be drawn up or the registry through any medium, physical or digital; this annotation will describe the document subject to destruction, the date, time and signature of two people who evidence the destruction.

When the physical transfer of documents or supports takes place, they must take the necessary measures to prevent improper access, manipulation, theft or loss of information. The transfer of media containing personal data is carried out by encrypting the information, or using any other mechanism that guarantees that it is not manipulated or accessed.

The data contained in portable devices must be Encrypted when they are outside the facilities that are under FARANDA HOTELS control; When encryption is not possible, the processing of personal data using this type of device must be avoided; however, processing may be carried out when strictly necessary, adopting security measures that take into account risks and including them in this manual.

14. Infractions and penalties

Local authorities may impose sanctions for non-compliance with data protection regulations on the controller or the processor. Possible sanctions are:

• Personal and institutional fines of up to the equivalent of two thousand (2,000) minimum monthly statutory salaries in force at the time the sanction was imposed. The fines may be successive as long as the non-compliance that caused them persists.
• Suspension of treatment-related activities for up to six (6) months. The act of suspension will indicate the corrective measures to be adopted.
• Temporary closure of treatment-related operations, once the term of suspension has elapsed without the corrective measures ordered by the Authority having been adopted.
• Immediate and definitive closure of the operation involving the processing of sensitive data.

15. Validity

The databases, the responsibility of FARANDA HOTELS, will be processed during the weather that is reasonable and necessary for the purpose for which the data is collected. Once the purpose or purposes of the treatment have been fulfilled, and without prejudice to legal regulations to the contrary, the personal data in your possession will be deleted, unless there is a legal or contractual obligation that requires their conservation. For all these reasons, this document enters into Validity after its publication on the Web portal.

‍