INTRODUCTION

The company C.B. HOTELES Y RESORTS S.A (hereinafter referred to as HOTEL ZUANA) is an entity that forms part of the SOCIEDADES BOLIVAR Group, headquartered in the city of Santa Marta, Magdalena. Its corporate purpose is the provision of Hotel and Tourism services.

HOTEL ZUANA offers services including accommodation, food and beverages, recreation, corporate and private events, tours, relaxing massages, bowling, among others.

In the course of its activities, HOTEL ZUANA collects personal information from its direct clients, users, clients under agreements, timeshare clients, employees, suppliers, contractors, potential clients, former employees, former clients, former users, former suppliers, former contractors, prospective suppliers, and prospective employees.

Additionally, HOTEL ZUANA also collects or may come to collect contact information from individuals who are not yet clients or users but may become so, as they contact one of the SOCIEDADES BOLIVAR Group companies to learn about its products and services and give their consent to be contacted later by HOTEL ZUANA.

Moreover, in the course of its activities, HOTEL ZUANA receives and processes data from children and adolescents. According to the General Law on Personal Data Protection (hereinafter referred to as the General Law), the handling of data concerning children is prohibited. However, this was nuanced by Regulatory Decree 1377 of 2013, which in Article 12 established that children’s data may be processed as long as it respects their best interests and ensures the protection of their fundamental rights. HOTEL ZUANA complies with these requirements, accessing minors' data solely for the purpose of providing services to them as guests or users of HOTEL ZUANA’s services, as well as to the families of its employees for wellness activities.

HOTEL ZUANA also ensures that sensitive information, such as biometric data (photos and fingerprints) and health-related information provided by guests, employees, and users, is used exclusively for its intended purposes, ensuring that third parties can only access it if authorized by law.

The collection of biometric data is intended to verify the identity of guests, clients, suppliers, and employees in relation to HOTEL ZUANA, to prevent identity fraud, and to protect the data of the individuals involved.

HOTEL ZUANA respects the personal data of its data subjects and will strive to sufficiently inform them about their rights as data subjects. Accordingly, it will provide the necessary channels and means for data subjects to exercise their rights, which are outlined in Chapter V of this manual.

CHAPTER I. GENERAL ASPECTS

1.1. Right to Habeas Data
Article 15 of the Constitution establishes the right of every person to know, update, and rectify the information that has been collected about them in databases or files, whether from public or private entities. This right also includes other powers, such as authorizing the processing of data, including new data, excluding or deleting them from a database or file.

In 2008, Law 1266, known as the Special Habeas Data Law, was enacted. This law regulates what is known as "financial habeas data," which is the right of every individual to know, update, and rectify their personal, commercial, credit, and financial information contained in public or private information centers, which have the function of collecting, processing, and circulating such data to determine the financial risk level of the data subject. This law considers both natural persons and legal entities as data subjects.

Subsequently, in October 2012, Law 1581, the "General Law on Personal Data Protection," was enacted, expanding the right to habeas data beyond the financial and credit context. Under this law, any data subject has the right to control the information collected about them in any database or file, whether managed by private or public entities. Under this General Law, the data subject is any natural person, and only in exceptional cases, as provided by the Constitutional Court in Ruling C-748 of 2011, could a legal entity be considered a data subject if the rights of the natural persons comprising it are affected.

On June 27, 2013, Decree 1377 of 2013 was issued, partially regulating Law 1581 of 2012.

1.2. Purpose
The policy and procedures in this Manual are intended to develop the constitutional right to habeas data that every person has regarding the personal information collected, managed, or stored by HOTEL ZUANA.

1.3. Application
The policy applies to the databases managed by HOTEL ZUANA or which may be known to it by virtue of commercial relationships developed with other entities that are part of the Group to which it belongs, or by virtue of commercial relationships developed through alliances, agreements, or advertising events, for which it is responsible. In the first case, HOTEL ZUANA will act as the Data Controller; in other cases, it may act as the Processor or Controller, depending on whether it receives the data from a third party or collects it itself.

Additionally, the policy will apply when the data processing is carried out in Colombian territory. Similarly, it will apply when the Controller or Processor of the data is not based in Colombia but is subject to Colombian law by virtue of international norms or treaties.

1.4. Scope
All HOTEL ZUANA employees are covered under this policy. HOTEL ZUANA will conduct the necessary educational and training campaigns to ensure that personnel with the highest level of interaction in personal data management are familiar with the new law, Regulatory Decree 1377 of 2013, and the provisions adopted by HOTEL ZUANA to ensure compliance.

Likewise, third parties, including business partners, contractors, and suppliers, who, in the course of providing services, have access to the personal data of direct clients, users, clients under agreements, timeshare clients, potential clients, suppliers, contractors, employees, former employees, former clients, former users, former suppliers, and former contractors will be required to comply with the law, the decree, and this policy.

1.5. Definitions
To ensure that the recipients of this policy clearly understand the terms used throughout, the following definitions from Law 1581 of 2012, as well as those related to data classification under Law 1266 of 2008, are provided.

Authorization: The prior, express, and informed consent of the data subject for the processing of their personal data.
Database: An organized collection of personal data that is subject to processing by both public and private entities. This includes data stored in documents that qualify as files.
Personal Data: Any information linked or that can be associated with one or more identified or identifiable natural persons.

Data Classification under Law 1266 of 2008: Private, semi-private, and public.

• Private Data: Data that, due to its intimate or reserved nature, is only relevant to the data subject.
• Semi-Private Data: Data that is neither intimate, reserved, nor public, and whose knowledge or dissemination may interest not only the data subject but also a certain sector or group of people or society in general, such as financial and credit data related to commercial activities or services referred to by the Special Law.
• Public Data: Data classified as such by law or the Constitution, and any data not classified as semi-private or private under the Special Law. The Special Law includes examples of this type of data, such as those related to civil status, those found in public documents, and final judgments. Decree 1377 of 2013, which regulates Law 1581 of 2012, added to these examples, including data related to profession or occupation, public servant or merchant status, among others.

Data Classification under the General Law: Sensitive and Public.

• Sensitive Data: Data that affects the data subject’s privacy or whose misuse can lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social organizations, human rights organizations, promoting any political party's interests, or guaranteeing the rights of opposition political parties, as well as data related to health, sexual life, and biometric data.
• Public Data: Defined residually as any data that is not semi-private, private, or sensitive.

Furthermore, Decree 1377 of 2013, which regulates Law 1581, added to the examples already mentioned by the Special Law, including data related to profession or occupation, merchant status, and public servant status, as well as data that can be obtained without any reservation. It also noted that these data, by their nature, may be contained in public records, gazettes, and official bulletins, among others.

Data Processor: A natural or legal person, public or private, who processes personal data on behalf of the data controller.

Data Controller: A natural or legal person, public or private, who decides, alone or in association with others, on the database and/or the processing of data.

Data Subject: A natural person whose personal data is subject to processing.

Processing: Any operation or set of operations on personal data, such as collection, storage, use, and circulation.

CHAPTER II. PRINCIPLES

HOTEL ZUANA is committed to understanding and harmoniously implementing the principles established in the General Law. The following outlines the principles contained in the law:

2.1. Principle of Legality in Data Processing
The processing referred to in this law is a regulated activity that must adhere to the provisions established within it and other related regulations.

2.2. Principle of Purpose
The processing must serve a legitimate purpose in accordance with the Constitution and the law, and this purpose must be communicated to the data subject.

2.3. Principle of Freedom
Processing can only be carried out with the prior, express, and informed consent of the data subject. Personal data cannot be obtained or disclosed without prior authorization, except in the absence of legal or judicial mandate that waives the need for consent.

2.4. Principle of Truthfulness or Quality
The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.

2.5. Principle of Transparency
The processing must ensure the data subject's right to obtain information from the data controller or the data processor at any time, without restrictions, regarding the existence of data concerning them.

2.6. Principle of Restricted Access and Circulation
Processing is subject to the limitations derived from the nature of personal data and the provisions of the law and the Constitution. In this regard, processing can only be carried out by individuals authorized by the data subject and/or by those prescribed by law.

Personal data, except for public information, cannot be made available on the internet or other mass communication or dissemination media unless access is technically controlled to provide restricted knowledge only to the data subjects or third parties authorized by the General Law.

2.7. Principle of Security
The information subject to processing by the data controller or data processor must be handled with the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, unauthorized or fraudulent consultation, use, or access.

2.8. Principle of Confidentiality
All individuals involved in the processing of personal data that is not public are obligated to guarantee the confidentiality of the information, even after their relationship with any tasks that involve processing has ended. They can only provide or communicate personal data when it is related to activities authorized by the General Law and within its terms.

2.9. Necessity and Proportionality
The personal data recorded in a database must be strictly necessary to fulfill the purpose of the processing, which must be communicated to the data subject. They must be appropriate, relevant, and consistent with that purpose.

2.10. Temporality or Expiration
The period of retention for personal data will be the necessary time to achieve the purpose for which they were collected.

2.11. Integral Interpretation of Constitutional Rights
The General Law is interpreted to adequately protect constitutional rights, such as the right to Habeas Data, the right to a good name, the right to honor, the right to privacy, and the right to information. The rights of data subjects must be interpreted in harmony and balanced with the right to information provided in Article 20 of the Constitution and other applicable constitutional rights.

HOTEL ZUANA will ensure that data is acquired, processed, and handled lawfully.

Additionally, when HOTEL ZUANA acts as the Data Controller, meaning when it deals with a data subject who will become or is already a customer or user, it will inform them beforehand, clearly and sufficiently, about the purpose of the requested information. If the purpose changes or is modified in such a way that the data subject would not reasonably expect, HOTEL ZUANA will inform them in advance to obtain their consent again.

---

CHAPTER III. RIGHTS OF THE DATA SUBJECT AND IDENTIFICATION OF DATABASES

3.1. Rights of the Data Subject
Data subjects may contact HOTEL ZUANA, through the channels established in Section 5 of this Manual, to access, update, and correct their personal data. This right can be exercised to know the information that HOTEL ZUANA holds about the data subject and regarding partial, inaccurate, incomplete, fragmented data that may lead to error, or data whose processing is expressly prohibited or has not been authorized.

They may request proof of the authorization granted to HOTEL ZUANA, except when, according to the law, the processing being carried out does not require it.

They have the right to be informed by HOTEL ZUANA, upon request made through the channels provided, regarding the use of their personal data.

They can file complaints with the Superintendence of Industry and Commerce for violations of the General Law and its regulatory decrees.

They may revoke authorization in cases not related to essential data required for service provision. Additionally, they may request the deletion of data when the processing does not respect constitutional and legal principles, rights, and guarantees.

They may access, free of charge, through the channels provided by HOTEL ZUANA, the personal data that has been processed.

HOTEL ZUANA informs about the channels and procedures provided for the data subject to exercise their rights effectively through this Manual.

3.2. Authorization
Except for the exceptions provided by law, processing requires the prior and informed authorization of the data subject, which must be obtained by any means that can be subject to subsequent consultation.

The authorization of the data subject is not necessary in the following cases:

• Information required by a public or administrative entity in the exercise of its legal functions or by court order.
• Data of a public nature.
• Medical or health emergencies.
• Information processing authorized by law for historical, statistical, or scientific purposes.
• Data related to civil registration.

In any of these situations, HOTEL ZUANA will clearly disclose it and, in any case, will comply with the other provisions contained in the law.

The authorizations provided to data subjects must have clear texts and indicate the requirements established by Law 1581 of 2012 and Decree 1377 of 2013. Therefore, an effort will be made to separately outline what pertains to both regulations, so there is no confusion for the data subject regarding the rights granted under each.

In the section of the Authorization relating to the inclusion of aspects outlined by this Law, it will indicate:

• The purpose of the data processing.
• The type of processing that will be carried out.
• The identification and address (physical or electronic) where the data subject can be contacted.
• The existence of the policy that outlines the rights of the data subject.

Thus, in the case of the use of personal data that does not specifically relate to the development of the binding relationship between HOTEL ZUANA and its customers or users, but rather to the sending of commercial or advertising information, the data subject may, through written communication addressed to the address: Carrera 2 # 6 – 80 Avenida Tamaca Bello Horizonte in Santa Marta, Magdalena, or via email at proteccion_datos@zuana.com.co, express their wish not to be contacted for such purposes.

3.3. Identification of Databases
HOTEL ZUANA has identified the following databases:

1. Direct Customers (Guests)
2. Users (People who use HOTEL ZUANA's services but do not stay there)
3. Agreement Customers (Attendees of Congresses, Conventions, etc.)
4. Timeshare Customers
5. Potential Customers
6. Suppliers
7. Contractors
8. Employees
9. Former Employees
10. Former Customers (Direct, Agreement, and Timeshare).
11. Former Users
12. Former Suppliers
13. Supplier Candidates
14. Former Contractors
15. Employee Candidates

3.4. Purpose
The direct customers, users, agreement customers, and timeshare customers databases aim to use this information for the proper provision of services by HOTEL ZUANA, as well as to send them information that may be of interest. To keep their customers and/or potential customers informed and to interact with them, HOTEL ZUANA will use social media.

The potential customers database seeks to maintain contact with the data subject to inform them about the services and products offered by HOTEL ZUANA.

The suppliers and contractors database aims to have updated, solid, and sufficient information about individuals who are suppliers and contractors or wish to become such.

The employee database keeps the information of staff members up to date so that the employment relationship can be properly managed. The database of candidates in the selection process collects information from resumes, certifications, and personal references of those applying for selection processes at HOTEL ZUANA, aiming to identify the most suitable candidates for employment. In no case is this data shared with any other company. The data corresponding to former employees is stored to fulfill the corresponding legal obligations, and potential candidates' data is kept to contact them about new opportunities.

3.5. Validity
The data is retained following the principles of necessity and reasonableness, expiration and temporality, as provided in Decree 1377 of 2013 and the regulations governing document retention.

3.6. Information Provision Channels
HOTEL ZUANA establishes the following communication channels for data subjects:

• Physical address: Carrera 2 # 6 – 80 Avenida Tamaca Bello Horizonte in Santa Marta, Magdalena.
• Email: proteccion_datos@zuana.com.co
• Phone: (605) 4380011 ext. 148, 131, and 183.

CHAPTER IV. OBLIGATIONS

4.1. Duties of the Data Controller

The General Law defines the data controller as the natural or legal person, public or private, who, alone or in association with others, decides on the database and/or the processing of the data.

According to Ruling C-748 of 2011, the data controller is "the one who defines the essential purposes and means for the processing of the data, including those who act as sources and users," and may circulate or use the data in a certain way. Their duties are:

• Ensure that data subjects fully and effectively exercise their Habeas Data rights through the service channels established in this Manual.
• HOTEL ZUANA will store the authorizations granted by the Data Subjects under the appropriate security measures corresponding to the type of information obtained.
• HOTEL ZUANA will inform about the purpose of data collection, both in the text used to obtain the Data Subject's authorization and in the Privacy Notice. The Data Subject will always be aware of the type of processing their data will undergo, whether it will be shared or circulated, the purpose, and how they can express their will regarding the scope of this processing.
• HOTEL ZUANA will ensure that the use of data aligns with the provision of services to its clients and users. Additionally, when appropriate and according to the obtained authorizations, they will request the clients’ and users’ consent to send them commercial information related to services offered by other companies within the SOCIEDADES BOLIVAR Business Group.
• The rights of the Data Subject will be included in the Privacy Notice published on HOTEL ZUANA's website, and this will be indicated when obtaining their consent.
• The effective cooperation of Data Subjects in updating their information is crucial for ensuring that the person in charge of processing is informed of any updates to the data provided.
• Chapter V of this Manual outlines the procedures for handling inquiries and complaints submitted by data subjects.
• Security incidents that could jeopardize the administration of the Data Subjects' information will be reported to the Superintendency of Industry and Commerce, following the procedure established in this manual.
• The instructions and requirements issued by the Superintendency of Industry and Commerce will be recorded in a special system under the responsibility of the HOTEL ZUANA Data Protection Committee, which is responsible for monitoring the adoption and compliance with these policies.

4.2. Duties of the Data Processor

The law defines the data processor as the natural or legal person, public or private, who, alone or in association with others, processes personal data on behalf of the Data Controller. Since most of the obligations established for the Processor are similar to those for the Controller, this section will only refer to those not listed in section 4.1 of this document. Their duties are:

• Efficient channels will be available to ensure that information updates made by the Controller are received and processed within the five (5) business days prescribed by law. These channels will include an email address and telephone contact from the appropriate department.
• If information is contested by the Data Subject and its blocking has been ordered by the Superintendency of Industry and Commerce, the responsible department or staff member will issue the necessary instructions to prevent its circulation.
• Access to information will only be allowed to authorized persons as per the law. Requirements for judicial and administrative authorities requesting such information will be established, including identifying the functions that allow them to make the request and the investigation number. Requirements for Data Subjects, representatives, or successors will include proof of their status and appropriate documentation.

4.3. Security Measures

HOTEL ZUANA has internal regulations and protocols regarding information security to ensure compliance with the required security measures. This manual will include technical tools to ensure proper preservation, authorized access, document recovery, and more. Contracts with Processors will include clauses that clearly establish their duty to guarantee the security and privacy of the Data Subject's information. Contracts with employees and suppliers will include clauses establishing their duty to guarantee the security and privacy of the Data Subject's information.

CHAPTER V. PROCEDURES TO ENSURE THE EXERCISE OF DATA SUBJECTS' RIGHTS

5.1. Inquiries

In line with Article 14 of the Law titled “Inquiries,” Data Subjects or their successors may inquire about the information held about them in HOTEL ZUANA’s databases. To submit an inquiry, they must verify their identity as follows:

• If submitting a written document, they must attach a copy of their ID.
• For inquiries made by phone, the identity of the person making the inquiry will be validated to verify its authenticity.
• For inquiries made by email, the identity of the person making the inquiry will be validated to verify its authenticity.
• Successors must prove their relationship by attaching a copy of the death certificate and their ID, or a copy of the will opening statement and their ID.
• Representatives must present an authenticated copy of the power of attorney and their ID.

Once HOTEL ZUANA receives an inquiry request, they will review the individual record corresponding to the Data Subject’s name and provided ID; if there are discrepancies, they will inform the inquirer within five (5) business days to clarify. If the documents match, they will respond within ten (10) business days. If more time is needed, HOTEL ZUANA will inform the Data Subject and provide a response within five (5) additional business days.

5.2. Complaints

Data Subjects or their successors who believe that the information contained in a database managed by HOTEL ZUANA should be corrected, updated, or deleted, or who notice a breach by HOTEL ZUANA or its Processors, can file a complaint under the following terms:

• The complaint must be submitted to HOTEL ZUANA or the Data Processor, accompanied by the Data Subject’s ID, a clear description of the facts leading to the complaint, any supporting documents, and the address (physical or electronic) where they wish to receive notifications.

If the complaint is incomplete, the interested party will be requested to correct it within five (5) business days of receipt, through the channel by which the complaint was received. If two (2) months pass from the date of the request without the required information being provided, the complaint will be considered withdrawn.

If HOTEL ZUANA or the Processor cannot or is not competent to address the complaint, it will be forwarded to the appropriate party within two (2) business days, and the interested party will be informed.

HOTEL ZUANA will use the email indicated in Section 3.6 for these purposes to identify when the matter was forwarded and the corresponding response or confirmation of receipt. If HOTEL ZUANA does not know who should handle the matter, they will immediately inform the Data Subject, copying the Superintendency of Industry and Commerce.

Once the complete complaint is received, the corresponding database will include the note "Complaint in Process" and its reason within a maximum of two (2) business days.

The maximum time to respond to the complaint is fifteen (15) business days. If it is not possible to respond within this period, the interested party will be informed of the delay's reason and the date the complaint will be addressed, which will not exceed eight (8) business days following the first deadline.

5.3. Complaints to the Superintendency of Industry and Commerce

The Data Subject, successor, or representative must exhaust the previous inquiry or complaint procedure before approaching the Superintendency of Industry and Commerce to file a complaint.

5.4. Department or Person Responsible for Handling Requests, Inquiries, and Complaints

The Systems and Quality Management departments are responsible for ensuring compliance with these provisions and have direct communication with other employees to ensure all aspects are properly addressed and the legal obligations are met. HOTEL ZUANA will also rely on the Personal Data Protection Committee, composed of representatives responsible for the databases.

5.5. Policy Effective Date

This policy takes effect upon its approval and publication and will be communicated to all HOTEL ZUANA employees mentioned in this document. This effort to promote awareness, education, and information will continue throughout the enforcement of the new law. The policy will also be published on HOTEL ZUANA's website so that data subjects have access to it.

5.6. Applicable National Legislation

It is important to reiterate that the activities carried out by HOTEL ZUANA are regulated and subject to the supervision of the Ministry of Commerce, Industry, and Tourism and the Superintendency of Industry and Commerce, with observance of the Consumer Protection Law, Law 1480 of 2011. Additionally, in the administration of personal data, the General Law 1581 of 2012, Decree 1377 of 2013, and as applicable, Law 1266 of 2008 concerning financial and credit data, and consultations and reporting to credit bureaus, will be applied, along with any other laws that amend, supplement, or regulate them.