JURIDEX ABOGADOS S.A.S.

The purpose of this manual is to comply with Statutory Law 1581 of 2012, and its Regulatory Decree 1377 of 2013, which aims to develop the constitutional right that all people have to know, update, and rectify the information that has been collected about them in databases or files, and the other constitutional rights, freedoms, and guarantees referred to in article 15 of the Political Constitution; as well as the right to information enshrined in article 20 of the same. This manual extends to all business, civil, and commercial relations developed by JURIDEX ABOGADOS S.A.S. by virtue of its corporate purpose, which prominently includes activities associated with RDM Colombia. Consequently, personal information provided by its owners during any type of interaction with RDM Colombia will be protected by the principles, purposes, and procedures established in this document.

In this way, JURIDEX ABOGADOS S.A.S. states that it guarantees the rights of privacy, intimacy, and good name in the processing of personal data, and, consequently, all its actions will be governed by the principles of legality, purpose, freedom, veracity, quality, transparency, access and restricted circulation, security, and confidentiality.

All individuals who, in the course of various contractual, commercial, or labor activities, among others, whether permanent or occasional, provide JURIDEX ABOGADOS S.A.S. with any type of information or personal data, may access, update, and correct it.

For this purpose and in accordance with the provisions of article 18, literal f of Law 1581 of 2012, JURIDEX ABOGADOS S.A.S. adopts this internal manual of policies and procedures to guarantee the adequate compliance with Law 1581 of 2012 and, especially, for addressing inquiries and claims by the owners of personal data.

IDENTIFICATION OF THE RESPONSIBLE PARTY

NAME OR BUSINESS NAME JURIDEX ABOGADOS S.A.S. company identified with NIT. 900.845.177-6

ADDRESS AND LOCATION: JURIDEX ABOGADOS S.A.S. has its principal domicile in the city of Cali at Carrera 38 No. 5E-28, office 503B.

PHONE: 3133777028

EMAIL: notificaciones@juridex.co

CONTENT

1. APPICABLE LEGISLATION
2. SCOPE AND APPLICATION
3. CONCEPT AND DEFINITIONS
4. PRINCIPLES
5. AUTHORIZATION

5.1. FORM AND MECHANISMS TO GRANT AUTHORIZATION

5.2 PROOF OF AUTHORIZATION

6. PRIVACY NOTICE

6.1. MINIMUM CONTENT OF THE PRIVACY NOTICE

7. RIGHTS AND DUTIES

7.1. RIGHTS OF THE DATA SUBJECTS

7.2. DUTIES OF JURIDEX ABOGADOS S.A.S. AS THE PARTY RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

7.3. RIGHT OF ACCESS

7.4. RECTIFICATION AND UPDATING OF DATA

7.5. DATA DELETION

1. REVOCATION OF AUTHORIZATION

8. PROCEDURES FOR THE EXERCISE OF RIGHTS

8.1. INQUIRIES

1. CLAIMS

9. POLICY AND PURPOSE OF THE PROCESSING

9.1. POLICY

1. PURPOSE OF THE PROCESSING

10. INFORMATION SECURITY

10.1. SECURITY MEASURES

10.2. IMPLEMENTATION OF SECURITY MEASURES

11. USE AND INTERNATIONAL TRANSFER OF PERSONAL DATA AND INFORMATION BY JURIDEX ABOGADOS S.A.S.
    
    
12. DATA PROCESSING CONTROLLER
    
    
13. TERM OF VALIDITY

• APPLICABLE LEGISLATION

This manual was prepared taking into account the provisions contained in Article 15 of the Political Constitution, Law 1581 of 2012 “Which issues general provisions for the protection of personal data” and Decree 1377 of 2013 “Which partially regulates Law 1581 of 2012.” All other regulations that supplement or replace the aforementioned shall also apply to this Policy.

Based on the foregoing, JURIDEX ABOGADOS S.A.S. issues this Privacy and Personal Data Processing Policy (hereinafter the “Policy”), regarding the data stored in its databases, which belong to natural persons (Data Subjects) who have authorized JURIDEX ABOGADOS S.A.S. to handle them in accordance with corporate guidelines and this Policy.

Likewise, the following provisions are part of this Policy: Law 1266 of 2008, Regulatory Decrees 1727 of 2009 and 2592 of 2010, and Constitutional Court rulings C-1011 of 2008 and C-748 of 2011.

• SCOPE OF APPLICATION

This Policy shall apply to and therefore bind the following persons:

1. Legal representatives and/or company administrators.
   
   
2. Internal staff of JURIDEX ABOGADOS S.A.S., whether executives or not, who manage and process personal data databases.
3. Contractors and natural or legal persons providing services to JURIDEX ABOGADOS S.A.S. under any type of contractual arrangement, under which any processing of personal data is carried out.
   
   
4. Shareholders, statutory auditors, and other persons with whom there is a statutory legal relationship.
   
   
5. Public or private persons who are users of personal data.
   
   
6. Other persons established by law.

• CONCEPTOS Y DEFINICIONES

Personal Database Administrator: Area in charge or Person in charge who is responsible for and carries out Processing of one or more Databases that contain personal information.

Authorization: Prior, express and informed consent of the Owner to carry out the Processing of Personal Data.

Privacy Notice: Verbal or written communication generated by the controller, addressed to the Data Subject for the Processing of their Personal Data, through which they are informed about the existence of the information Processing policies that will be applicable to them, how to access them and the purposes of the Processing that is intended to be given to the Personal Data.

Database: Organized set of Personal Data that is subject to Processing.

Personal Data: Any information linked to or that may be associated with one or more determined or determinable natural persons.

Personal Data of Children and Adolescents: Personal data of minors, the Processing of which is prohibited, except when the purpose pursued with said Processing responds to the interest of children and adolescents and respect for their prevailing rights is ensured without any exception.

Public Data: It is the data that is not semi-private, private or sensitive. Data related to people’s marital status, their profession or occupation, and their status as a merchant or public servant are considered public data, among others. Due to their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed judicial rulings that are not subject to reservation.

Private Data: It is the data that, due to its intimate or reserved nature, is only relevant to the Owner.

Semi-private Data: Data that is not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its Owner but also to a certain sector or group of people or to society in general, such as financial and credit data of commercial or service activity referred to in Title IV of Law 1266 of 2008.

Sensitive Data: Sensitive Data means those that affect the privacy of the Owner or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, social or human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life and biometric data.

Data Processor: Natural or legal person, public or private, who, by itself or in association with others, carries out the Processing of Personal Data on behalf of the controller.

Authorized Entities: JURIDEX ABOGADOS S.A.S., the Branches and Agencies nationwide subordinate to it or linked to it.

Data Controller: Natural or legal person, public or private, who, by itself or in association with others, decides on the Database and/or the Processing of the data.

Owner: Natural or Legal person whose Personal Data is subject to Processing.

Transfer: The Transfer of data takes place when the Controller and/or Processor of Personal Data, located in Colombia, sends the information or Personal Data to a recipient, who in turn is responsible for the Processing and is located inside or outside the country.

Transmission: Processing of Personal Data that implies the communication thereof within or outside the territory of the Republic of Colombia, when its purpose is the realization of a Processing by the Processor on behalf of the Controller.

Treatment: Any operation or set of operations on Personal Data, such as the collection, storage, use, circulation or deletion thereof. These definitions will be maintained when referred to in the singular and plural, and will be understood to be modified when the applicable law and/or regulations and/or the interpretations of the competent authorities modify them.

• PRINCIPLES

Principle of legality in the matter of data Processing: The Processing referred to in this law is a regulated activity that must be subject to the provisions of this law and other provisions that develop it.

Principle of purpose: The Processing of Personal Data collected by JURIDEX ABOGADOS S.A.S., must obey a legitimate purpose which must be informed to the Owner.

Principle of freedom: The Processing can only be carried out with the prior, express and informed consent of the Owner. Personal Data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.

Principle of veracity or quality: The information subject to Processing must be truthful, complete, accurate, updated, verifiable and understandable. The Processing of partial, incomplete, fragmented data or data that leads to error is prohibited.

Principle of transparency: In the Processing, the right of the Owner to obtain information from JURIDEX ABOGADOS S.A.S., at any time and without restrictions, about the existence of data that concerns him must be guaranteed.

Principle of restricted access and circulation: The Processing may only be done by persons authorized by the Owner and/or by the persons provided for in the Law. Personal Data, with the exception of public information, may not be available on the Internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to the Owners or authorized third parties.

Principle of security: The information subject to Processing by JURIDEX ABOGADOS S.A.S., must be protected through the use of technical, human and administrative measures that are necessary to grant security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

Principle of confidentiality: All persons involved in the Processing of Personal Data are obliged to guarantee the reservation of information, even after the termination of their relationship with any of the tasks that comprise the Processing.

1. AUTHORIZATION

The collection, storage, use, circulation and, in general, the Processing of Personal Data contained in the Databases of JURIDEX ABOGADOS S.A.S., require the free, prior, express and informed consent of the Owners thereof. JURIDEX ABOGADOS S.A.S., in its capacity as Data Controller, has provided the necessary mechanisms to obtain the Authorization of the data Owners, prior to the collection of their data, guaranteeing in any case that it is possible to verify and prove the granting of said Authorization. The personal data of the Owners will be kept in the Databases of JURIDEX ABOGADOS S.A.S., for as long as they are used for the authorized purposes, unless the Owner requests their deletion.

5.1 FORM AND MECHANISMS TO GRANT AUTHORIZATION

The Authorization may be in a physical document, electronic document, data message, Internet, website or also verbally or by telephone or in any other format that allows guaranteeing its subsequent consultation; or through an unequivocal conduct of the Owner that allows concluding in a reasonable way that he granted the authorization; or through a suitable technical or technological mechanism through which it can be concluded unequivocally that, had the consent of the Owner not been obtained, the data would never have been collected and stored in the Database.

With the procedure of consented authorization, it is guaranteed that the Owner of the Personal Data has been informed that their personal information will be collected and used for specific and known purposes in accordance with this Policy and the corresponding Privacy Notice and the right that assists them to request access, update, rectification and deletion of their Personal Data at any time, through the mechanisms made available to them by JURIDEX ABOGADOS S.A.S. The foregoing in order for the Owner to make informed decisions regarding their Personal Data and control the use of their personal information.

The Authorization is a statement that informs the Owner of the Personal Data:

1. Who collects your personal information.
2. What it collects (data that is collected).
3. What it collects the data for (the purposes of the Processing).
4. How to exercise rights of access, correction, updating or deletion of the Personal Data provided.
5. Inform the Owner that, since it is Sensitive Data (if applicable), he is not obliged to authorize its Processing.

This statement is made through the Privacy Notice, as defined below.

5.2 PROOF OF AUTHORIZATION

JURIDEX ABOGADOS S.A.S. will adopt the necessary measures to maintain records or suitable technical or technological mechanisms of when and how it obtained the Authorization from the owners of Personal Data for the Processing thereof.

1. PRIVACY NOTICE

The Privacy Notice is the physical, electronic document or in any other format, that is made available to the Owner so that he is informed of the Processing that JURIDEX ABOGADOS S.A.S. will give to his Personal Data, prior to the moment that the collection of Personal Data is authorized. Through this document, the Owner is informed of the existence of the information Processing Policies that will be applicable to him, how to access them and the characteristics of the Processing that is intended to be given to the Personal Data.

6.1. MINIMUM CONTENT OF THE PRIVACY NOTICE

The Privacy Notice, at a minimum, must contain the following information:

1. The identity, address and contact information of the controller.
2. The type of Processing to which the data will be subjected and the purpose thereof.
3. The rights that assist the Owner.
4. The general mechanisms provided by the controller for the Owner to know the information Processing policy and the substantial changes that occur in it or in the corresponding Privacy Notice. In all cases, you must inform the Owner how to access or consult the information Processing policy.
5. Notwithstanding the foregoing, when Sensitive Personal Data is collected, the Privacy Notice will expressly indicate the optional nature of the response to questions that relate to this type of data.

• RIGHTS AND DUTIES

7.1. RIGHTS OF THE INFORMATION HOLDERS

In accordance with the provisions of article 8 of Law 1581 of 2012 and articles 21 and 22 of Decree 1377 of 2013, the Owner of the Personal Data has the following rights:

1. Know, update and rectify your Personal Data before JURIDEX ABOGADOS S.A.S., in its capacity as Data Controller.
2. Request proof of the Authorization granted to JURIDEX ABOGADOS S.A.S., in its capacity as Data Controller.
3. Be informed by JURIDEX ABOGADOS S.A.S., upon request, regarding the use that has been given to your Personal Data.
4. File complaints with the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add to or complement it, once the consultation or claim procedure has been exhausted before the Data Controller.
5. Revoke the Authorization and/or request the deletion of the data when the principles, constitutional and legal rights and guarantees are not respected in the Processing.
6. Access your Personal Data that has been subject to Processing free of charge. JURIDEX ABOGADOS S.A.S. will keep contact means enabled so that data Owners can exercise their rights and apply the procedures provided for in this Policy, which will be informed and made available in the Privacy Notice.

• DUTIES OF JURIDEX ABOGADOS S.A.S. AS RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

JURIDEX ABOGADOS S.A.S. will keep in mind, at all times, that Personal Data is the property of the people to whom it refers and that only they can decide on it. In this sense, it will make use of them only for those purposes for which it is duly authorized and respecting in any case Law 1581 of 2012, Decree 1377 of 2013 and other applicable regulations on the protection of Personal Data in accordance with the provisions of article 17 of Law 1581 of 2012 and articles 21 and 22 of Decree 1377 of 2013, JURIDEX ABOGADOS S.A.S., undertakes to permanently comply with the following duties in relation to the Processing of Personal Data:

1. Guarantee the Owner, at all times, the full and effective exercise of the right of habeas data.
2. Request and keep, under the conditions provided in this law, a copy of the respective authorization granted by the Owner.
3. Duly inform the Owner about the purpose of the collection and the rights that assist him by virtue of the authorization granted.
4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
5. Guarantee that the information provided to the controller is truthful, complete, accurate, updated, verifiable and understandable.
6. Update the information, communicating in a timely manner to the controller, all the news regarding the data that you have previously provided and adopt the other measures necessary so that the information provided to it is kept updated.
7. Rectify the information when it is incorrect and communicate the relevant information to the controller.
8. Provide the controller, as the case may be, only data whose Processing is previously authorized in accordance with the provisions of this law.
9. Demand from the controller at all times respect for the security and privacy conditions of the Owner’s information.
10. Process the queries and claims made in the terms indicated in this law.
11. Adopt an internal manual of policies and procedures to guarantee the adequate compliance with this law and especially, for the attention of queries and claims.
12. Inform the controller when certain information is under discussion by the Owner, once the claim has been filed and the respective procedure has not been completed.
13. Inform at the request of the Owner about the use given to their data.
14. Inform the data protection authority when there are violations of security codes and there are risks in the administration of the information of the Owners.
15. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

NOTE: JURIDEX ABOGADOS S.A.S. guarantees and requires all persons involved in any phase of the processing of private, sensitive or minor’s personal data, the confidentiality, with respect to these.

• RIGHT OF ACCESS

The power of disposition or decision that the Owner has over the information that concerns him/her, necessarily entails the right to access and consult if his/her personal information is being processed, as well as the scope, conditions and generalities of said Processing. In this way, JURIDEX ABOGADOS S.A.S. must guarantee the Owner’s right of access in three ways:

1. The first implies that the Owner can know the effective existence of the Processing to which his/her Personal Data is subjected.
2. The second, that the Owner can have access to his/her Personal Data that is in the possession of the Controller.
3. The third, implies the right to know the essential circumstances of the Processing, which translates into the duty of JURIDEX ABOGADOS S.A.S., to inform the Owner about the type of Personal Data processed and each and every one of the purposes that justify the Processing.

PARAGRAPH: JURIDEX ABOGADOS S.A.S. will guarantee the right of access when, after accrediting the identity of the Owner or the capacity of his/her representative, the detail of the Personal Data is made available to him/her, free of charge, through the means enabled for this purpose.

• DATA RECTIFICATION AND UPDATE

The Data Owner has the right to request the update or rectification of his/her Personal Data. JURIDEX ABOGADOS S.A.S. has the obligation to rectify and update, at the request of the Owner, the information of the latter that turns out to be incomplete or inaccurate, in accordance with the procedure indicated in this Policy. In requests for rectification and updating of Personal Data, the Owner must indicate the corrections to be made, for which in some cases the documentation that supports his/her request will be requested.

JURIDEX ABOGADOS S.A.S. has full freedom to enable mechanisms that facilitate the exercise of this right, as long as they benefit the Owner. Consequently, electronic or other means that it considers pertinent may be enabled.

JURIDEX ABOGADOS S.A.S. may establish forms, systems and other simplified methods, which must be informed and made available to interested parties on the website.

Each time JURIDEX ABOGADOS S.A.S. makes available a new tool to facilitate the exercise of their rights by the Information Owners or modifies the existing ones, it will inform it through its website.

• DATA DELETION

The Owner has the right, at all times, to request JURIDEX ABOGADOS S.A.S. to delete his/her Personal Data when:

1. He/she wishes his/her data to be deleted from the Databases of JURIDEX ABOGADOS S.A.S.
2. He/she considers that they are not being processed in accordance with the principles, duties and obligations provided for in Law 1581 of 2012 and Decree 1377 of 2013.
3. They are no longer necessary or relevant for the purpose for which they were collected.
4. The period necessary for the fulfillment of the purposes for which they were collected has been exceeded. The deletion implies the total or partial elimination of the personal information according to what is requested by the Owner in the records, files, Databases or Treatments carried out by JURIDEX ABOGADOS S.A.S.

It is important to keep in mind that the right of cancellation is not absolute and the Controller may deny its exercise when:

1. The Owner has a legal or contractual duty to remain in the Database.
2. The elimination of data hinders judicial or administrative actions linked to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
3. The data are necessary to protect the legally protected interests of the Owner; to carry out an action based on the public interest, or to comply with a legally acquired obligation by the Owner.

In the event that the cancellation of the Personal Data is appropriate, JURIDEX ABOGADOS S.A.S. must operationally carry out the deletion in such a way that the elimination does not allow the recovery of the information.

7.6 REVOCATION OF AUTHORIZATION

The Owners of the Personal Data may revoke the consent to the Processing of their Personal Data at any time, as long as a legal or contractual provision does not prevent it. For this, JURIDEX ABOGADOS S.A.S. must establish simple, easily accessible and free mechanisms that allow the Owner to revoke his/her consent, at least by the same means by which he/she granted it and in the 12 terms stipulated in Law 1581 of 2012, its regulatory Decrees and modifying or complementary norms.

It should be taken into account that there are two modalities in which the revocation of consent can occur:

The first may be on the totality of the consented purposes, that is, that JURIDEX ABOGADOS S.A.S. must completely stop processing the Owner’s Data; The second may occur on certain types of Processing, such as for advertising or market research purposes. With the second modality, that is, the partial revocation of consent, other purposes of the Processing that the Controller, in accordance with the Authorization granted, can carry out and with which the Owner agrees are kept safe.

Therefore, it will be necessary for the Owner, at the time of submitting the revocation request, to indicate in it if the revocation he/she intends to carry out is total or partial. In the second hypothesis, it must be indicated with which Treatment the Owner does not agree.

There will be cases in which the consent, due to its necessary character in the relationship between Owner and Controller for the fulfillment of a contract, by legal provision may not be revoked.

The mechanisms or procedures that JURIDEX ABOGADOS S.A.S. establishes to attend to requests for revocation of the consent granted may not exceed the deadlines provided to attend to claims as indicated in article 15 of Law 1581 of 2012.

• PROCEDURES FOR THE EXERCISE OF RIGHTS

8.1. INQUIRIES

In accordance with the provisions of article 14 of Law 1581 of 2012 and article 21 of Decree 1377 of 2013, the Owners may consult their personal information that is in any Database. Consequently, JURIDEX ABOGADOS S.A.S., will guarantee the right of consultation, providing the Owners with all the information contained in the individual registry or that is linked to the identification of the Owner, under the following rules:

1. The Owner may consult his/her personal data free of charge: at least once each calendar month, and each time there are substantial modifications to the information Processing policies that motivate new consultations.

1. The right of consultation may be exercised by:

1. The Owner, after accrediting his/her identity, or through electronic instruments that allow him/her to identify himself/herself.
2. By the representative and/or attorney of the Owner, after accrediting the representation or empowerment.
3. By stipulation in favor of another or for another.
4. The rights of children or adolescents will be exercised by the persons who are empowered to represent them.

When the request is made by a person other than the Owner and it is not proven that the same acts in representation of that one, it will be considered as not presented.

1. Minimum information

1. The name and address of the Owner or any other means to receive the response.
2. The documents that prove the identity or the personality of his/her representative.
3. The clear and precise description of the Personal Data with respect to which the Owner seeks to exercise any of the rights.
4. If applicable, other elements or documents that facilitate the location of the Personal Data.

1. The means of communication that have been enabled for consultations should be used, such as:

Physical address: Carrera 38 No. 5E-28, Office 503B of Cali, Email: notificaciones@juridex.co and Telephone: 3133777028. In any case, regardless of the mechanism implemented to attend to consultation requests, they will be attended to within a maximum term of ten (10) business days counted from the date of receipt. When it is not possible to attend to the consultation within said term, the interested party will be informed before the expiration of the ten (10) days, expressing the reasons for the delay and indicating the date on which his/her consultation will be attended to.

8.2 CLAIMS

In accordance with the provisions of article 15 of Law 1581 of 2012, the Owner or his/her successors who consider that the information contained in a Database should be subject to rectification, updating or deletion, or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012, Decree 1377 of 2013 or any other applicable norm, may present a claim before the Processing Controller, which will be processed under the following rules:

1. The rights of rectification, updating or deletion may be exercised by:

1. The Owner, after accrediting his/her identity, or through electronic instruments that allow him/her to identify himself/herself.
2. By the representative and/or attorney of the Owner, after accrediting the representation or empowerment.
3. By stipulation in favor of another or for another.
4. The rights of children or adolescents will be exercised by the persons who are empowered to represent them.
5. When the request is made by a person other than the Owner and it is not proven that the same acts in representation of that one, it will be considered as not presented.

1. The request for rectification, updating or deletion must be presented through the means enabled by JURIDEX ABOGADOS S.A.S. indicated in the Privacy Notice and contain, at least, the information indicated in article 15 of Law 1581 of 2012 and in article 9 of Decree 1377 of 2013, and other norms that replace or complement:

1. The name and address of the Owner or any other means to receive the response.
2. The documents that prove the identity or the personality of his/her representative.
3. The clear and precise description of the Personal Data with respect to which the Owner seeks to exercise any of the rights.
4. The description of the facts that give rise to the claim, the address and documents that the Owner wants to assert.
5. If applicable, other elements or documents that facilitate the location of the Personal Data.

1. The means of communication that have been enabled for consultations should be used, such as:

Physical address: Carrera 38 No. 5E-28, office 503B of Cali. Email: notificaciones@juridex.co, telephone: 3133777028.

1. If the claim received does not have complete information that allows it to be processed, the interested party will be required within five (5) days following its receipt to correct the faults. Two (2) months after the date of the requirement without the applicant submitting the required information, it will be understood that he/she has withdrawn from the claim.

1. If for any circumstance a claim is received that should not actually be directed against JURIDEX ABOGADOS S.A.S., it will transfer it, to the extent of its possibilities, to whoever corresponds within a maximum term of two (2) business days, and will inform the interested party of the situation.

1. The maximum term to attend to the claim will be fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to attend to it within said term, the interested party will be informed before the expiration of the referred term of the reasons for the delay and the date on which his/her claim will be attended to, which in no case may exceed eight (8) business days following the expiration of the first term.

• POLICY AND PURPOSE OF THE PROCESSING

9.1. POLICY

To comply with Statutory Law 1581 of October 17, 2012 and other norms that modify, add or complement it, there are different processes and guidelines for the management of information of Shareholders, Clients, Suppliers, Collaborators and other groups of interest, to which reference is made in this policy, and within which the following aspects are concentrated.

• Adequate provision of services: It includes everything related to the data necessary to analyze and develop the feasibility, contracting, adaptation, execution of the service, in aspects such as: leasing, customer service, service improvement, customer satisfaction, information, security; and in general all the information essential to comply with the scope of the contract, the provision of the service, the regulation and the current regulations.

• Commercial Purposes of the company: It includes all activity aimed at presenting offers, services, advertising, opportunities, customer loyalty, customer retention; and in general information of the goods, products and services that may be of interest to customers and users.

• Other purposes: Eventually the company may establish other purposes for the processing of personal data, and for this, it must have the prior, express, consented and informed authorization of the owner for its corresponding processing.

1. Customer databases

The company will inform the Data Owner that it collects, the processing that will be done of his/her personal data and its purpose will obtain in advance the authorization of the clients for such purpose, which mainly correspond to the purposes described in the previous paragraph.

The processing of the data will be done based on the authorization of the user and taking into account his/her need, both in relation to the purpose and with the time.

The database will have a duration equal to what is provided by virtue of the contractual relationship, without prejudice to review every two (2) years to evaluate the need, proportionality and/or existence of a legal or contractual duty for the permanence of the database.

1. Contractor and supplier databases

They are the manual or automated databases that contain data of the natural or legal persons that maintain a contractual and commercial link, whose processing has the purpose of complying with the contractual provisions stipulated by JURIDEX ABOGADOS S.A.S., for the acquisition of services and goods demanded by it for its normal operation or the fulfillment of some of its functions. This database contains personal data that is public, private or sensitive, which are intended for the development of contractual relations. The processing of these data for purposes other than the maintenance of the contractual relationship or the fulfillment of legal duties requires prior authorization from the owner.

The suppliers, by authorizing by any means, the use of their information, accept that the company may use, conserve, transfer, collect, store and use the personal information in order to:

• Enter your information into this database.
• Collect and process your information and that of your representatives or employees in order to carry out the following activities:

• Payment of contractual obligations.
• Report to government entities.
• Delivery of information to government or judicial entities that require it.
• Support in external and internal audit processes.

• Any other purpose that results in the development of the contract in case of being hired.

The database will have a duration equal to what is provided by virtue of the contractual relationship, without prejudice to review every two (2) years to evaluate the need, proportionality and/or existence of a legal or contractual duty for the permanence of the database.

1. Employee Databases

These are manual or automated databases that contain data of natural persons who are employed by JURIDEX ABOGADOS S.A.S., the purpose of which is to comply with legal and regulatory provisions. This database incorporates private, public, sensitive data, and data of minors. The processing of data for purposes other than obligations arising from the employment relationship will require prior authorization from the owner or their legal representative, as the case may be. In no case will JURIDEX ABOGADOS S.A.S. process sensitive data or data of minors without prior authorization.

The company, as an Employer and by mandate of labor legislation and conventional agreements, must have personal information of its employees.

To fulfill labor obligations, it possesses information and data related to the worker’s identification, hiring exams, academic background, work experience, home address, beneficiaries, salaries, Pension Funds, Severance Payments, Occupational Risks, Compensation Fund, Life and Accident Insurance, bank account for payment from the work relationship, affiliations with external entities to which the employee voluntarily, consciously, and freely has requested inclusion to authorize discounts or direct payments through payroll, to facilitate their relationships and prior existence of agreements with those third parties and the company.

The database will have a duration equal to what is provided by virtue of the contractual relationship, without prejudice to review every two (2) years to evaluate the need, proportionality and/or existence of a legal or contractual duty for the permanence of the database.

1. Potential client databases

These are manual or systematized databases that contain public and private data, which are required in order to comply with the functions legally assigned in accordance with the provisions of numeral 8 of article 10 of Decree 898 of 2002.

The processing of this data will require prior authorization and information on the purposes of its processing, under the formats defined for this purpose by JURIDEX ABOGADOS S.A.S.

The database will have a duration equal to what is provided by virtue of the contractual relationship, without prejudice to review every two (2) years to evaluate the need, proportionality and/or existence of a legal or contractual duty for the permanence of the database.

1. Shareholder Databases

The data and personal information of the people who become shareholders of JURIDEX ABOGADOS S.A.S. will be considered reserved information, since it is registered in the commercial books and has the character of reservation by legal provision.

Consequently, access to such personal information will be carried out in accordance with the rules contained in the Commercial Code that regulates the matter.

JURIDEX ABOGADOS S.A.S. will only use the personal data of the shareholders for the purposes derived from the existing statutory relationship.

The database will have a duration equal to what is provided by virtue of the contractual relationship, without prejudice to review every two (2) years to evaluate the need, proportionality and/or existence of a legal or contractual duty for the permanence of the database.

SENSITIVE DATA

In the case of sensitive personal data, JURIDEX ABOGADOS S.A.S. may use and process them when:

1. The owner has given authorization, except in cases where the granting of said authorization is not required by law.
2. The processing is necessary to safeguard the vital interest of the owner and the owner is physically or legally incapacitated. In these events, the legal representatives must grant their authorization.
3. The processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that they refer exclusively to its members or to people who maintain regular contacts by reason of their purpose. In these events, the data may not be supplied to third parties without the authorization of the owner.
4. The Processing refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process.
5. The processing has a historical, statistical or scientific purpose. In this event, measures must be taken to suppress the identity of the owners.

Without prejudice to the exceptions provided for in the law, the processing of sensitive data requires the prior, express and informed authorization of the owner, which must be obtained by any means that may be subject to consultation and subsequent verification.

9.2 PURPOSE OF THE PROCESSING

JURIDEX ABOGADOS S.A.S. collects, stores, uses, circulates, transmits and transfers Personal Data of its clients, suppliers, employees, potential clients, shareholders and for control, security, establishment of commercial or legal relations, judicial processes, requirements of administrative authorities and for future references, inside and outside of Colombia.

The personal data collected by JURIDEX ABOGADOS S.A.S. will be included in one or more databases and may be transmitted and/or transferred between JURIDEX ABOGADOS S.A.S., its linked subsidiaries, its parent company or controller, the subsidiaries of its parent company or controller, are the Authorized Entities, so that directly or through third parties, they process personal data only in accordance with the purposes established in this notice. Similarly, the databases of JURIDEX ABOGADOS S.A.S., may include and integrate data transmitted and/or transferred to it by the Authorized Entities and/or by third parties.

Personal Data will be processed in order to:

1. Comply with the legal and/or contractual obligations of the Authorized Entities, due to the development of their civil and commercial activity.
2. Manage data related to human resources, selection processes, organizational analysis, development and management of performance reports of labor contracts, management of labor relations, processing, management, payroll payment and compliance with legal obligations.
3. Administer the internal affairs of JURIDEX ABOGADOS S.A.S., which includes, but is not limited to, the management and provision of legal services, the administration of human, financial and technological resources, the development of commercial strategies, the implementation of internal policies and the fulfillment of legal, contractual and regulatory obligations.
4. Carry out the due diligence process of the Client or Supplier, which consists of the set of procedures for the identification and acceptance of clients and suppliers.
5. Comply with legal obligations, national laws on money laundering and financing of terrorism, financial services and tax compliance services and opinion 14/2011 of Article 29 on data protection related to the prevention of money laundering and financing of terrorism of the “Data Protection Working Group.”
6. Achieve efficient communication with the Data Subject, through any means of contact, related to our services, studies, events, advertising campaigns, service channels and social networks.
7. Provide our services.
8. Inform about changes in services or regarding new services that are related to the one or those contracted.
9. Fulfill obligations contracted with our clients, suppliers and employees.
10. Evaluate the quality of the service.
11. Deliver and offer to the Owner in a general or segmented way, information, content and/or advertising of JURIDEX ABOGADOS S.A.S.
12. Prepare and report statistical information, satisfaction surveys, security studies and analysis, recommendations, new criminal modalities and service quotes, including the possibility of contacting you for such purposes by the commercial or risk area.
13. Contact clients, employees and/or suppliers for the sending of information or any other purpose that results in the development or execution of the contractual, commercial and legal relations that may occur.
14. Request, capture, consult, update, supply, report, process, transmit, transfer, use, put into circulation and disclose all the information that refers to the credit, financial and commercial behavior of the Clients of JURIDEX ABOGADOS S.A.S., whether positive or negative, as many times as required, with respect to commercial transactions with JURIDEX ABOGADOS S.A.S., to the Databases or financial or credit information centers, of Information Operators and/or Financial Entities residing or not in Colombia, and/or that provide the same service or who represent their rights. This treatment seeks that the behavior of the Clients’ obligations is registered in order to provide sufficient and adequate information to the market on the status of the Client’s financial, commercial, credit and/or service obligations.
15. For purposes of security, prevention, investigation and prosecution of fraud.
16. For the purpose of ensuring and maintaining the safety and well-being of our customers.

Consequently, the owner understands and accepts that through this authorization he grants the person responsible and in charge of the treatment, authorization to access his personal data to the extent that they require it either for the provision of the services for which they were contracted or for the link that develops between the parties, that is, the owner of the information and JURIDEX ABOGADOS S.A.S.

• INFORMATION SECURITY

10.1 SECURITY MEASURES

In development of the principle of security established in Law 1581 of 2012, JURIDEX ABOGADOS S.A.S. will adopt the technical, human and administrative measures that are necessary to grant security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

The Database Administrator will ensure the security of the Databases and will monitor the proper application of the Privacy Policy.

10.2 IMPLEMENTATION OF SECURITY MEASURES

JURIDEX ABOGADOS S.A.S. will maintain mandatory security protocols for personnel with access to personal data and information systems.

The procedure must consider, at least, the following aspects:

1. Training of the person responsible for the processing of databases for the proper management of information, whether physical or automated, which is stored in the company, following the parameters established by law, as well as the protection and security of the data.
2. Training of personnel entering the company about the Personal Data Processing Policy and the security mechanisms and protocols for the Processing of these.
3. Scope of application of the procedure with detailed specification of the protected resources.
4. Measures, norms, procedures, rules and standards aimed at guaranteeing the level of security required in Law 1581 of 2012 and Decree 1377 of 2013.
5. Functions and obligations of the personnel.
6. Structure of the Personal Data Databases and description of the information systems that process them.
7. Procedure for notification, management and response to incidents.
8. Procedures for making backup copies and data recovery.
9. Periodic controls that must be carried out to verify compliance with the provisions of the security procedure that is implemented.
10. Measures to be adopted when a support or document is transported, discarded or reused.
11. The procedure must be kept updated at all times and must be reviewed whenever relevant changes occur in the information system or in the organization of this.
12. The content of the procedure must be adapted at all times to the current provisions regarding the security of Personal Data.

• USE AND INTERNATIONAL TRANSFER OF DATA AND PERSONAL INFORMATION BY JURIDEX ABOGADOS S.A.S.

Attending to the nature of the permanent or occasional relationships that any owner of personal data may have with JURIDEX ABOGADOS S.A.S., it may carry out the transfer and transmission, including international, of all personal data, as long as the applicable legal requirements are met, and consequently, the owners with the acceptance of this policy, expressly authorize to transfer and transmit, including internationally, personal data. The data will be transferred, for all relationships that may be established with JURIDEX ABOGADOS S.A.S.

For the international transfer of personal data of the owners, JURIDEX ABOGADOS S.A.S. will adopt all measures so that third parties know and commit to observe this policy, under the understanding that the personal information they receive may only be used for matters directly related to JURIDEX ABOGADOS S.A.S. and only while it lasts and may not be used or intended for a different purpose or end. For the international transfer of personal data, the provisions of article 26 of Law 1581 of 2012 will be observed.

The international transmissions of personal data carried out by JURIDEX ABOGADOS S.A.S. will not require to be informed to the owner or have their consent when there is a contract for the transmission of personal data in accordance with article 25 of decree 1377 of 2013.

JURIDEX ABOGADOS S.A.S. may also exchange personal information with governmental or public authorities of another type (including, among others, judicial or administrative authorities, tax authorities and criminal, civil, administrative, disciplinary and fiscal investigation agencies), and third parties participating in civil legal proceedings and their accountants, auditors, lawyers and other advisors and representatives, because it is necessary or appropriate: (a) to comply with applicable laws, including laws other than those of your country of residence; (b) to comply with legal processes; (c) to respond to requests from public and government authorities other than those of your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations; (f) to protect our rights, privacy, security or property, yours or those of third parties; and (g) obtain applicable indemnities or limit damages that may affect us.

12. PERSON RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

JURIDEX ABOGADOS S.A.S., through the email: notificaciones@juridex.co, will be responsible for the processing of personal data.

13. TERM OF VALIDITY

This policy is effective as of January 8, 2025 and leaves without effect the personal data processing policies that may have been adopted by JURIDEX ABOGADOS S.A.S.

ALEXANDER BERMÚDEZ CORREA

Legal Representative

JURIDEX ABOGADOS S.A.S.