Privacy policy Salvio Apartasuites, Bogotá

Official website

Privacy Policy

The UNILEMH-LEMCO, S.A. business group, based in Bogotá, in the Diagonal 25 G No. 94-55 Distrito Capital, under the principle of unity of purpose and direction 1, in compliance with In compliance with Law Colombian 1581 of 2012 for the Protection of Personal Data, Law 1266 of 2008 of Habeas Data and as established by the National Constitution, seeks to protect the right of all persons to know, update, rectify and suppress the private information that is subject to the reservation that is stored on them in database or files, assuming an ethical and responsible behavior, with social commitment, that allows the use and treatment of personal information for the purposes for which it was collected, generating a culture of protection of the rights of the holders in the development of each of the activities of the subsidiaries and / or subordinates companies, It is thus that it hereby provides its guidelines for the implementation of the Integral Program for the Management of Personal Data, which establishes policies for the use, administration, transmission and other activities involving personal data.

Also, establish the mechanisms and channels to properly inform the owner of the purpose of the collection and the rights that assist him by virtue of the authorization granted, establish the guidelines against those in charge of information and report to the operators of the information.

1. Scope.

This policy of Protection of Personal Data will be applied to all Databases and/or Files containing Personal Data that are subject to Treatment by LEMCO, S.A., Challenger, S.A.S., Dorado Hoteles, S.A.S., Habitad Store, S.A.S., Sky Electronics Zona Franca, S.A.S., Sky Forwarder, S.A.S., each individually considered as responsible and/or in charge of the processing of personal data, (hereinafter, THE COMPANY).

The coverage of these policies covers all the employees, customers, suppliers of THE COMPANY, as well as the potential clients with whom the company maintains communication.
Within the company there is NO processing (collection, storage, use, circulation or deletion) of sensitive data of the holders of personal data.

2. Identification of the Responsible for the Processing of Personal Data.

GROUP LEMCO S.A., and Challenger, S.A.S. companies domiciled in Bogotá, Distrito Capital on the diagonal 25G No.94-55; Dorado Hotels, S.A.S. with address in Bogotá, Distrito Capital on the avenue El Dorado No.100 - 97; Habitat Store, S.A. with address in Bogotá, Distrito Capital on the north freeway No.183 A-70; Sky Electronics Zona Franca S.A. S., Sky Forwarder, S.A.S. companies with address in career 106 No.15-25 apple 14 int 81 of the city of Bogotá, D.C. Colombia. Email protecciondedatos@lemco.co , telephone (+571) 4256000.

3. Definitions.

Authorization: It is the prior, express or informed consent of the holder to carry out the processing of personal data.
Notice of Privacy: Verbal or written communication generated by the responsible person, addressed to the owner for the Treatment of his personal data, by which he is informed about the existence of the policies of Treatment of information that will be applicable to him, the way of accessing them and the purposes of the Treatment intended to be given to personal data.
Database: Organized set of personal data that is object of Treatment.
Express consent: It is any manifestation of will, free, specific, informed and explicit, through which the interested party accepts, either by means of a declaration or affirmative action, the processing of personal data that concerns him. These “clear affirmative actions” of the proposal of the regulation are the unequivocal behaviors in the comment.
Personal Data: Is any linked information or that may be associated with one or more natural persons determined or determinable or that may be associated with a natural or legal person. Impersonal data are not subject to the data protection regime. When reference is made to a data, it is presumed that it is for personal use. Personal data, may be public, semiprivate or private.
Responsible for treatment: Natural or juridical person, public or private, that by itself or in association with others, decides on the database and / or the Treatment of the data.
Holder: Natural person whose personal data is subject to Treatment.
Information Holder: It is the natural or juridical person to whom the information that rests in a data bank and subject of the right of Habeas Data and other rights and guarantees of the applicable normativity refers.
Treatment: Any operation or set of operations on personal data such as collection, storage, use, circulation or deletion.
User: The user is the natural or legal person who can access the personal information of one or more holders of information provided by the operator or by the source, or by the owner of the information. The user, insofar as he has access to the personal information of third parties, is subject to the fulfillment of the duties and responsibilities envisaged to guarantee the protection of the rights of the holder of the data. In the case where the user in turn delivers the information directly to an operator, it will have the double condition of user and source, and will assume the duties and responsibilities of both.

4. Guiding Principles

The companies of the group develop the Integral Program of Protection of Personal Database applying in a harmonic way the following principles:

Principle of access and restricted circulation: The treatment is subject to the limits derived from the nature of the personal data, the provisions of the applicable regulations and the Constitution. In this sense, treatment can only be done by persons authorized by the holder and / or by persons provided for in the regulations. Personal data, except for public information, may be not available on the Internet or other means of massive divulgation or communication, unless access is technically controllable to provide restricted knowledge only to the Holders or third parties authorized in accordance with the normativity.

The treatment is subject to the limits derived from the nature of the personal data, the provisions of the applicable regulations and the Constitution. In this sense, treatment can only be performed by persons authorized by the holder and / or by persons provided for in the regulations. Personal data, other than public information, may not be available on the Internet or other means of communication or mass communication, unless access is technically controllable to provide restricted knowledge only to the Holders or third parties authorized in accordance with normativity.

Principle of Confidentiality: All persons involved in the treatment or administration of Personal data which are not of a public nature, are obliged at all times to guarantee the Reserve oh the information, even after the end of their relationship with some of the tasks involved in the processing and management of data, can only supply or communicate Personal data when it corresponds to the development of the activities authorized in Law 1581 of 2012 and in the terms of it.

Principle of favoring an activity of public interest: The management activity of financial, credit, commercial, service and that comes third-country directly related and favors an activity of public interest, such as financial activity properly, because it helps the democratization of credit, promotes the development of the activity of credit, the protection of public confidence in the financial system and its stability, and generates other benefits for the national economy and in particular for the financial, credit, trade and of services in the country.

Principle of purpose: The treatment of the information contained in the Databases of the Group companies obeys a legitimate purpose in accordance with the Constitution and the Law, which must be informed previous the holder owner or at the moment of granting the authorization.

Principle of integral interpretation of constitutional rights: T The application of the regulations will be interpreted in the sense that the constitutional rights, such as habeas data, the right to good name, the right to honor, the right to privacy and the right to information, are properly protected. The rights of the rightholders shall be interpreted in harmony and in a level of balance with the right to information provided for in article 20 of the Constitution and with the other applicable constitutional rights.

Principle of Legality in Matters of Data Processing: The treatment of the information contained in The Databases of the Group companies, will be applicable in the pertinent thing, the established in the law 1581 of 2012 and in the other dispositions that develop, modify and / or complement it.

Principle of Freedom: The treatment of the information contained in the Databases of the companies of Group can only be exercised with the prior, express and informed consent of the holder. The data Personal may not be obtained or disclosed without prior authorization, or in the absence of a legal mandate or Judicial decision releasing consent.

Safety Principle: The information subject to treatment referred to in law 1581 of 2012, the law 1266 of 2008 for habeas data, as well as the result of the queries made by its users, will be handled with technical, human and administrative measures necessary to provide to security records preventing tampering, loss, consultation, use or unauthorized or fraudulent access.

Principle of Transparency: The Group companies, in the treatment of the information contained in the Databases, will guarantee the right of the holder to obtain at any time and without restrictions, Information about the existence of data concerning you in accordance with the provisions of the law.

Principle of temporality of information: The period of conservation of Personal Data will be the necessary to achieve the purpose for which they have been collected and / or while the holder has obligations pending, responsibility direct or indirect liability for the additional time required by special rules or by prescription times. Likewise It may not be supplied to users or third parties when it stops serve for the purpose that was collected.

Principle of veracity or quality: The information subject to treatment by the Group companies will be truthful, complete, accurate, up-to-date, verifiable and understandable. Treatment of partial, incomplete, fractional or error-inducing data is prohibited.

5. Nature of the personal data object of the Treatment.

The nature corresponds to the type of information that can be supplied in a database and is classified in:

Public Data: They are considered public data, among others, data that are in the marital status of the persons, their profession or trade and their status as a trader or public servant. By their very nature, public data may be contained, inter alia, in public records, public documents, official bulletins, gazette and duly executed judicial sentences that are not subject to reservation. Is the data that is not semi-private, private or sensitive.

Sensitive Data: Are those that affect the privacy of the holder or whose wrong use may generate its discrimination, such as that which reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership of trade unions, social organizations, that human rights, that promotes the interests of any political party, or that guarantee the rights and guarantees of opposition political parties, as well as data on health, sexual life, and data biometric (such as fingerprint, signature and photo).

Datos semiprivados: Los datos que tienen carácter íntimo, reservado, no público y cuyo conocimiento o divulgación puede interesar no sólo al propietario sino a un determinado sector o grupo de personas o sociedad en general, como datos financieros y actividad crediticia comercial, servicios Y los procedentes de terceros países contemplados en el Título IV de la Ley 1266 de 2008.

Private Data: It is the data that by its intimate or reserved nature is only relevant for the holder.

6. Purpose of the use of the data:

THE COMPANY, may only collect, store, use or circulate personal data for as long as Is reasonable and necessary, in accordance with the following purposes:

-To establish, maintain, deepen and strengthen relations with consumers and customers by sending of relevant information, takin decisions and the attention of requests, complaints and claims (PQR’s) by customer service area, post-sale service or technical, the evaluation of quality of its customer service and the invitation of events organizer or sponsored by the company, among others

-For the supply, catering timely and quality measurement with its suppliers, through the invitation to participate in selection processes, the evaluation of the fulfillment of its obligations and the invitation to events organized or sponsored by the company, among others.

-To establish, keep, deepen and strengthen the relations with their employees and their family in the process of recruitment, selection, recruiting, provision of welfare programs, health and performance.

-For interaction with their contractors and conveyors, verification of compliance with service and distribution standars, of their legal obligations to their workers and for the invitation of events organized or sponsored by the company, among others.

-For marketing, promotional, statistical, research and the other commercial purposes that do not contravene current Colombian legislation.

-To improve, promote and develop their products or be consulted, exchanged or circulated between and by the companies of the LEMCO, S.A. group with any entity of the real sector to fulfill its corporate purpose, attention of entities subject to the inspection, surveillance and control of the superintendence of industry and commerce, judicial and/or any information operator and/or national or foreign data bank.

-For the determination of outstanding obligations, the consultation of financial information and credit history and the report to information centers of unfulfilled obligations, with respect to its debtors and verification of the balance of its creditors.

-For the attention of judicial or administrative requirements and the fulfillment of judicial or legal mandates.

-For administrative purposes, their legal obligations to their workers, accountants, prosecutors, juridical or information historical, punishment of crimes or to ensure public order.

-To eventually contact via email or by any other means to natural persons with whom you have or have a relationship, such as, without meaning limitation on the enumeration, employees and their relatives, shareholders, consumers, customers, distributors, suppliers, creditors and Debtors, for the aforementioned purposes.

-For the recognition, protection and exercise of the rights of the shareholders of the company.

MAIN PURPOSES

• CUSTOMERS: Provide services, convene events, send technical and commercial information, offer services from allies of the group or other companies, request commercial alliances, after-sales service, among others, related to the corporate purpose of the company.

• SUPPLIERS: Contact to request technical and commercial information of products and services, through catalogs, technical data sheets and quotes, commercial alliances, after-sales services, training and sale of products and services.

• WORKERS: For selection processes, contracting and development of welfare activities.
Personal data must be preserved for compliance with a legal or contractual obligation; once the purpose (s) has been fulfilled, they must proceed to the deletion of the personal data in their possession.

7. Rights of the holders of personal data

The holder of the personal data will have the following rights:

a) Know, update and rectify your personal data. This right may be exercised, among other against data partial, inaccurate, incomplete, fractional, that induce to error, or those whose treatment is expressly prohibited or has not been authorized.
b) Request proof of authorization granted by the Entity, except when expressly excepted as a requirement for the Treatment, in accordance with the provisions of article 10 of Law 1581 of 2012.
c) Be informed, upon request, of the use that has been given to their personal data.
d) To submit complaints to the Superintendency of Industry and Commerce for breaches of the provisions of the law 1581 of 2012 and the other norms that modify, add or complement it.
e) Revoke the authorization and / or request the deletion of the data when the treatment is not respected the principles, rights and constitutional and legal guarantees. The revocation and / or withdrawal shall when the Superintendency of Industry and Commerce has determined that in the Treatment the entity has engaged in conduct contrary to this law and the Constitution.
f) Free access to your personal data that have been processed.
g) Be informed of substantial changes in the content of the policies related to the purpose of the processing of personal data.
h) Consult the Registry National Database, the minimum information provided for in Article 5 of Decree 886 of 2014, in order to facilitate the exercise of their rights to know, update, Rectify, delete the data and / or revoke the authorization.

The holders of financial and credit information shall additionally have the following rights:

a) To go to the monitoring authority to file complaints against sources, operators or users for violation of the rules on administration of financial and credit information.
b) To go before the supervisory authority to try to order an operator or source to correction or updating of your personal data, when appropriate, as established in the regulations.

8. Authorization of the Holder.

Any person who wants to purchase the products or services of THE COMPANY and that requires provide personal information for its commercial or contractual relationship, it must grant prior, express and informed consent or authorization for the processing of your personal data or To supply the information to third parties commissioned by THE COMPANY for such treatment; Information that will be obtained by any means that may be subject to subsequent consultation, in writing, oral conduct or by unequivocal conduct of the holder that allows a reasonable conclusion that granted the authorization.

Prior authorization means that the consent must be granted by the Holder, at the latest in the at the time of collection of Personal Data.

Express authorization, meaning that the consent of the Holder must be explicit and specific, are not valid open and non-specific authorizations. The Holder is required to state his / her willingness to authorize THE COMPANY to process Personal Data.

This manifestation of will of the Holder can take place through different mechanisms made available by the company, such as:

-In writing, for example, completing out an authorization form.
-Orally, for example, in a telephone conversation or in a videoconference.
-Through unequivocal conduct to conclude that he granted his authorization, for example, to By expressly accepting the Terms and Conditions of an activity within which Require the authorization of the participants for the Treatment of their Personal Data

IMPORTANT: In no case will THE COMPANY assimilate the silence of the Holder to an unequivocal conduct.

Whatever the mechanism used by THE COMPANY, it is necessary that the authorization be retained to be able to be consulted later.

Informed Authorization means that, at the time of requesting consent to the Holder, it must be informed clearly:

The Personal Data to be collected.

-Identification and contact details of the responsable and the person in charge the treatment.
-The specific purposes of the intended Treatment, how and for what purpose make the collection, use, circulation of Personal Data.
-What are the rights you have as the holder of the Personal Data; For the effect see the numeral 6 of this Policy.
-The optional nature of the response to the questions that are asked, when they are about sensitive data or on the data of children and adolescents.

The authorization of the holder is not necessary in the case of:

-Information required by a public or administrative entity in the exercise of its legal functions or By court order.
-Data that is public in nature.
-Cases of medical or health emergency.
-Processing of information authorized by law for historical, statistical or scientific purposes.
-Data related to the Civil Registry of Persons.

Those data or databases that are available to the public may be processed by any person as long as, by their nature, they are public data.

The administration of semi - private and private data requires the prior and express consent of the holder of data, except in the case of financial, credit, commercial, services and Countries which does not require authorization from the holder.

Authorization shall be requested from the holder for the processing of sensitive personal data when necessary for processes related to the monitoring and monitoring of employees related to health and biometric information for security schemes and protocols; However, this authorization may not be conditional on the holder providing such sensitive data.

A new authorization will be requested in case the policies undergo substantial changes related to the purpose of the processing of personal data.

9. Channels to exercise the rights
Channels are the means of receiving and attending to requests, queries and complaints that each of the entities have at the disposal of the owners of the information, through which the owner can exercise their rights to know, update, rectify, delete their personal data contained in databases and to revoke the authorization granted for the treatment of the data, when this is possible.

The area responsible for petitions atention, inquiries and complaint shall be the Protection Officer of Data through the following channels of attention to the holder of the personal data:

TELEPHONE ATTENTION; The telephone call to the data subject for consultations or complaints will be at the number 4256000 - the customer service line 4256240 (Bogotá) from 8:00 a.m. to 5:00 p.m.
(Business hours); Or the national line 01-8000- 111966. The call will be answered by the area responsible, who will forward the same to the Personal Data Protection Officer designated within the company.

ATTENTION BY WEBSITE: The attention by web page will be attended by the following addresses:

Challenger, S.A.S. http://www.challenger.com.co/
Dorado Hoteles, S.A.S. http://www.challenger.com.co/
Habitat Store, S.A.S. http://www.habitatstore.com.co/
Sky Forwarder, S.A.S. http://www.skyzf.com.co/
Sky Electronics Zona Franca, S.A.S. http://www.skyzf.com.co/

EMAIL: The attention by email will be made to protecciondedatos@lemco.co

10. Legitimation for the exercise of the Rights of the Holders

The rights of the holders established by law may be exercised by the following persons:

-For the holder, who must prove his identity in a sufficient way by the different means that make it available the responsible of treatment.
-For their successors, who must prove such quality.
-By the representative and / or proxy of the holder, Duly accredited.
-By stipulation in favor of another or for another; That is, by provision of a contract, treaty, will or any other similar document, public or private, expressing said condition.
-The rights of children and adolescents shall be exercised by persons who are empowered to represent them.

11. Provision of Information

The requested information can be provided in a simple and agile way by any of the means arranged by the company, including electronic, as required by the holder. The holder can consult for free their personal data:

1. At least once each calendar month.
2. Whenever there are substantial changes of treatment policies to the information that motivate further consultations.

To queries whose periodicity is greater than one for each calendar month, the holders will be charged the Costs of shipping, reproduction and, where appropriate, document certification.

The information will also be provided to the database operators according to the terms as defined in Law 1266 of 2008 and to the control and supervision entities in the terms of the law and in agreement to the External Circular 002 of 2015 for the registration and reporting in the National Registry of Databases -RNBD.

12. Information treatment

The Company, acting as the Person in charge of the Processing of Personal Data, for the Development of its commercial activities, as well as for the strengthening of its relations with third parties, the company collects, uses, circulates, stores or suppress information corresponding to natural persons with whom you have or have had a relationship, such as employees and their families, shareholders, consumers, customers, distributors, Contractors, suppliers, creditors and debtors. Personal data contained in databases can be treated in an automated or manual way.
Processing of sensitive data is prohibited except where:

a. To the holder has given his explicit authorization to such treatment, except in cases that are not legally required to grant authorization.
b. The treatment be necessary to safeguard the vital interest of the holder and the holder is physically or legally incapacitated. In these events, legal representatives must grant their authorization.
c. The treatment is carried out in the course of legitimate activities and with due guarantees for one foundation, NGO, association or any other non-profit making body whose purpose is Political, philosophical, religious or trade union, provided that they refer exclusively to its members or to Persons who maintain regular contacts by reason of their purpose. In these events, the data may not be supplied to third parties without the authorization of the holder
d. The treatment refers to data that are necessary for the recognition, exercise or defense of a Right in a judicial process.
e. The treatment has a historical, statistical or scientific purpose. This event should be measures leading to the suppression of the identity of the holders.

12.1 Rights of children and adolescents

According to the provisions of Article 7 of Law 1581 of 2012 and article 12 of Decree 1377 of 2013, THE COMPANY will only carry out the Treatment, that is, the collection, storage, use, circulation and / or deletion of Personal Data, except for data that are public in nature, corresponding to Children and adolescents to grant the benefits provided by The Company to the children of their Employees directly or through interposed person; for which such treatment must comply with the following parameters and requirements:

-That responds and respects the best interests of children and adolescents.
-Ensure respect for their fundamental rights.
-Ensure proper use of such data.

Once the above requirements have been met, THE COMPANY must obtain the Authorization of the legal representative of the child or teenager, prior to the child's exercise of their right to be listened; opinion that will be valued taking into account the maturity, autonomy and ability to understand the subject.

12.2 Collection of Personal Data

The collection of data should be limited to those personal data that have the purpose of knowledge of the persons with whom the entity has commercial or contractual relations to the fulfillment of its objectives or strategic foci according to the economic activity of each company Subsidiary or subordinate that belongs by LEMCO S.A. group and fulfillment of the others Legal and commercial provisions issued by supervisory and control bodies; For this you will have the Media, channels, use of networks, among others for the collection of information. May not be collected Personal data without the authorization of the holder.

When accessing or using the services contained within the COMPANY websites, the same may collection information through passive information technologies, such as "Cookies 2", through which information about the equipment hardware and software is collected, IP address, browser type, operating system, domain name, access time and addresses of the websites of origin, Operating system, domain name, access time and the addresses of the websites of origin; Through the use of these tools are not collected directly Personal data of the users. Information will also be collected about the pages that the person visits more frequently in these websites in order to know their browsing habits. Do not however, the user of the COMPANY websites has the possibility to configure the operation of the "cookies", according to the options of your internet browser.

12.3. Use, Supply and Circulation of Information

The personal information collected will be processed in accordance with the purpose of the data and for the Provision of information to the holder previous authorization; In the same way it can be supplied to the Authorized for their administration, either verbally or in writing, or make availableor the following persons and in the following terms:

a. To the holders, to the third parties duly authorized by these or by the law and its assignees or their legal representatives.
b. To the users of the information, within the parameters of law 1266 of 2008 Habeas Data.
c. To any judicial authority, prior court order.
d. To public or administrative entities in the exercise of their legal functions or judicial order.
e. To the control organs and other units of disciplinary investigation, fiscal, or administrative investigation, when the information is necessary for the development of an ongoing investigation.
f. To other data operators, when authorized by the holder, or when not necessary, the authorization of the holder the bank or operator of destination data has the same purpose, or a purpose that comprises the one that has the operator that delivers the data. If the receiver of the information be a foreign data bank, the unauthorized delivery of the holder may only be performed by leaving the written record of the delivery of the information and after verification by the operator that the laws of the respective country or the recipient provide sufficient guarantees for the protection of rights of the holder.

12.4 Deletion and / or Deletion of Personal Data

It corresponds to cease the treatment or supply of personal information collected from the holder. This information will have as final disposal removal of the original Database leaving the register in a database destined to the recognition of elimination of this information, which will not be subject to any type of treatment. Information related to national security, as well as to the prevention, detection, monitoring and control of money laundering and financing of terrorism, such as financial, credit, commercial, service and non-financial, and from third countries, information is not subject to deletion or deletion.

13. Procedures attention queries and Complaints

The holders of the information are enabled the means for the attention of the requests, consultations and complaints from the owners of the information following full verification of the observations or of the holder, making sure to review all relevant information reply to the holder and that they can exercise their rights to know, update, rectify, data and revoke the authorization, as long as you can keep evidence of these queries and complaints.

13.1 Inquiries

The holders or their assignees in title may consult the personal information of the holder who is in the base of data of the Company, previous validation and accreditation of its identity according to the procedures established or by any channel of communication described in number 9 of this politics, provided that evidence of the consultation is maintained by technical means.

Consultations by e-mail must contain at least: i) the complete identification of the holder, Ii) the personal data that they want to be consulted, ii) address, iii) electronic mail and; (iiii) in case being assignees, attach the respective document that demonstrates it.

The consultation will be answered by THE COMPANY, within a maximum term of ten (10) business days counted to from the date of receipt of the electronic mail or physical document. When it is not possible to attend to the within that term THE COMPANY Will inform the interested party by stating the reasons for the delay and will indicate the date in which your request will be attended in a maximum time of five (5) business days following the expiration of the first term.

When the consultation is not clear, it is not understood, or does not meet the necessary requirements to develop a response by the COMPANY this it will inform the holder or the assignees, the reasons for the delay and will indicate the date on which your request will in a maximum period of five (5) business days following the expiration of the first term.
After two (2) months from the date of the request, without the applicant submitting the required information, THE COMPANY will understand that the owner or assignee has given up the query.

In case the person receiving the complaint is not competent to resolve it, correspond within a maximum term of 2 working days and inform the interested party of the situation.

Thus, the maximum term to attend the consultation will be fifteen (15) working days, as long as within ten (10) business days of receipt of the request by any means provided for this reason, the owner will be informed of the reason for the delay, otherwise the maximum term will be ten (10) business days.

Right of Update, Rectification or Correction and Deletion of Personal Data

In the development of the principle of truthfulness or quality, in the processing of personal data, each company shall take reasonable measures to ensure that the personal data contained in the databases are accurate and sufficient and, when requested by the owner or When the Company has been able to notice it, are be updated, rectified or suppressed, in such a way as to satisfy the purposes of the treatment.

In this case, it must be recorded the changes made, duly registered by means of the channel suitable and user, date and time in which said modification was made.

In the event that the holder requests a deletion or deletion of the data, if the respective legal term expired, the Company, as the case may be, of not having would not have delete the personal data, the holder will have the right to request the Superintendency of Industry and Commerce that orders the revocation of the authorization and / or suppression of personal data.

YOU ARE INFORMED PERSONAL DATA HOLDERS THAT SUPPRESSION OR REVISION OF THE DATA TREATMENT AUTHORIZATION WILL NOT BE PROCESSED WHEN THE HOLDER HAS A LEGAL OR CONTRACTUAL DUTY TO STAY IN THE DATABASE OF THE COMPANY

Revocation of the Authorization and / or Deletion of the Data

The owners may at any time request THE COMPANY to delete their personal data and / or revoke the authorization granted for the treatment thereof, by filing a claim, In accordance with what is established in article 15 of Law 1581 of 2012. The request for the deletion of the Information and revocation of the authorization shall not proceed when the holder has a legal or Contract to remain in the database.

The owner or assignee may only file a complaint with the Superintendence of Industry and Commerce once has exhausted the process of consultation or claim with the Company.

13.2 Complaints and claims

The holder or his successors in title who consider that the information contained in a database should be corrected, updated or deleted, or when they note the alleged non-compliance with the any of the duties contained in law 1581 of 2012, may file a claim to the Company under the following rules:

1. The claim shall be made by application addressed to THE COMPANY, with the identification of the holder, the description of the facts giving rise to the claim, the physical and electronic address, accompanying the documents that you want to enforce through the established channels.
2. If the claim is incomplete, the interested party will be required within five (5) days of the receipt of the claim to remedy the faults. After two (2) months from the date of without the applicant submitting the required information, it shall be of the claim.
3. In case the person receiving the complaint is not competent to resolve it, correspond within a maximum term of two (2) business days and inform the interested party of the situation.
4. Once the complete claim is received, a legend will be included in the database that says claim in process; and the reason for the same, in a term not greater than two (2) business days. This legend should stay until the claim is settled.
5. The maximum term to attend the claim will be fifteen (15) working days from the day following the date of your receipt. When it is not possible to attend the claim within that term, the interested party will be informed of the reasons for the delay and the date on which his claim will be dealt with, which in no case may exceed eight (8) business days following the expiration of the first term.
6. In case of request of the operators of information contained in the databases personal, especially financial, credit, commercial services and from third countries, by means of claims or demands to the Company, this will inform the operator of the information in to two (2) business days following, so that the obligation can be fulfilled and should include the legend information in court discussion; and the nature of it within the Individual record. The same procedure shall be followed in case the Company initiates a process against the holder of the information, referring to the obligation reported as unfulfilled, and this to propose exceptions of merit.

The claim must contain at least: (i) the complete identification of the holder; (ii) a description of the facts that give rise to the claim, iii) home address, iv) e-mail, and; (V) the documents support that the owner or assignee wishes to enforce.

If the claim is incomplete, THE COMPANY will require the interested party within five (5) business days following receipt of the claim to remedy the faults. After two (2) months from the date of the request, without the applicant submitting the required information, THE COMPANY will understand, that the owner or assignee has withdrawn from the claim.

THE COMPANY will respond to the complaint within a maximum term of fifteen (15) working days from the day following the date of receipt. When it is not possible to attend the complaint within said term, the interested party shall be informed of the reasons for the delay and the date on which that exceeds 8 business days following the expiration of the first term.

13.3 Means enabled for submitting requests and queries:

THE COMPANY has arranged the following means for the reception and attention of petitions, claims and consultations, all of which allow to keep evidence of them:

Communication addressed to LEMCO S.A. Compliance Unit, Diagonal 25 G No. 94-55 in the city of Bogotá D.C.; Request submitted to email: proteciondedatos@lemco.co

14. Duties of the Data Processing Responsible

For the purposes of implementing the regulations, the subsidiaries or subordinated companies of the Group are responsible for the processing of databases and source of information of operators of the databases, so they must fulfill the following duties, without prejudice to the of the other provisions foreseen in the law and others that govern its activity:

a) Guarantee to the owner, at all times, the full and effective exercise of the right of habeas data.
b) Request and keep a copy of the respective authorization granted by the Holder.
c) Properly inform the owner about the purpose of the collection and the rights that are virtue of the authorization granted.
d) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
e) Ensure that the information being processed is truthful, complete, accurate, up-to-date, verifiable and understandable.
f) The facultative nature of the answer to the questions that are asked, when they are about sensitive data or the data of children and adolescents.
g) Update the information and in case be in charge of a third party, communicate to the latter in a timely manner all information concerning the data which he has previously supplied to him and to adopt the other necessary measures to ensure that the information be updated.
h) Correct the information when it is incorrect.
i) Provide the Data Manager, as the case may be, with only data whose processing is previously authorized in accordance with the provisions of Law 1581 of 2012.
j) Require the third party in charge of the treatment at all times, the respect to the conditions of security and privacy of the holder's information.
k) To process the consultations and claims formulated in the terms indicated in law 1581 of 2012.
l) Adopt an internal policy and procedures manual to ensure proper compliance with the normativity and, especially, for the attention of consultations and claims.
m) To inform to the third party in charge when certain information is being discussed by part of the Holder, once the claim has been filed and the respective process has not been completed.
n) Report at the request of the Holder on the use given to his data.
o) Inform the data protection authority when violations of security and risks exist in the administration of the information of the Holders.
p) Inform the identification, physical or electronic address and telephone number of the Company.
q) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

14.1 Habeas Data Law

In accordance with Law 1266 of 2008, the administration information of financial, credit, commercial, of services and that coming from third countries, by the Company must be carried out in such a way favor the expansion and democratization of credit. The company in the development of its activity should assess this type of information concurrently with other factors or elements of which technically affect the risk assessment and credit analysis, and may not be based on exclusively on the information concerning the breach of obligations provided by operators to take decisions against credit applications (Risk Centers).

The Company shall ensure that the information provided to accurate, up-to-date and verifiable, you will additionally need to:

1. Report, on a regular and timely basis to the operator, all developments regarding the data provided and take all other necessary steps to supplied to it is kept up to date.
2. Correct information when it is incorrect.
3. Design and implement effective mechanisms to report timely information to the operator.
4. Request, when applicable, and keep a copy or evidence of the respective authorization granted by and ensure that operators are not given any provided that such authorization is necessary, in with the provisions of Law 1266 of 2008.
5. To certify, every six months to the operator, that the information provided is authorized.
6. Resolve the claims and petitions of the holder.
7. Inform the operator that certain information is under discussion by the owner, when the request for rectification of the same has been filed, in order that the Operator to include in the data bank a mention in that sense until Procedure.
8. Comply with the instructions given by the supervisory authority in relation to compliance with the law.
9. The others that are derived from the Constitution or the present law.

The Financial Superintendence of Colombia may impose the sanctions provided in the law to the entity deny a credit application based solely in the applicant's negative information report.

Persons to whom information can be supplied

Information that meets the conditions established in the Habeas Data law may be provided to the following persons:

a) To the holders, their successors in title or their legal representatives.
b) To the public or administrative entities in exercise of their legal functions or by judicial order.
c) To third parties authorized by the owner or by law.

15.Confidentiality and information management clauses

In contracts or relationships established with third parties, where the authorization for treatment is requested of personal data, the knowledge must be expressed to the sufficiency of the company's policy and the registration of acceptance must be left in order for the company to be able to use such information Responsibly.

Likewise, a compliance and confidentiality clause must be included within the contracts signed with employees, according to the internal policies adopted.

In the contracts of transmission of personal data for the companies that are required as managers the processing of personal data under its control and responsibility shall indicate the scope of the confidentiality, treatment, the activities that the Manager will carry out on behalf of the Company for the treatment of the personal data and the obligations of the Charge to the holder and the Company.

By means of this contract, the third in charge will undertake to give effect to the obligations of the Company under the information processing policy and to perform data processing in accordance with the purpose that the holders have authorized under the protection of applicable laws.

In addition to the obligations imposed by the applicable rules within the aforementioned contract, include the following duties in the head of the respective Manager:

1. Treat, on behalf of the Company, personal data in accordance with guiding principles.
2. Safeguard the security of databases containing personal data.
3. To maintain confidentiality regarding the processing of personal date.

Communication

This policy is an extract from the Integral Program of Management of Personal Data Corporate Group LEMCO S.A., for the exercise of the rights conferred by the Law (Law 1581 of 2012 and other norms Concordant) and if applicable, the electronic mail is made available to the holder concierge@hotelhabitel.com and protecciondedatos@lemco.co

16. Validity of the policy of processing personal data

This treatment policy developed by THE COMPANY is effective as of October 1, 2012.

_______________________________________________________________________________________________________________________________________________

Certificaci6n sobre el Sistema de Autocontrol y Gesti6n del Riesgo Integral LA/FT/FPADM SAGRILAFT y Etica Empresarial.
HOTEL HABITEL S.AS.

Cumplimiento de las Politicas y procesos de prevenci6n y control del Lavado de Activos, Financiaci6n al Terrorismo, corrupci6n y Financiaci6n de la Proliferaci6n de Armas de Destrucci6n Masiva.

HOTEL HABITEL S.A.S. (HABITEL HOTELS) Y SU MARCA COMERCIAL SALVIO, en adelante la Entidad,
debidamente constituida y establecida en Colombia, con sede principal en la ciudad de Bogota D.C. en la Avenida el Dorado# 100 - 97, y Calle 938 # 123 - 09; en el desarrollo de sus buenas practicas empresariales y acogidos a los lineamientos y politicas del Grupo Empresarial Lemco, vigilado por la Superintendencia de Sociedades, y al cual pertenece HABITEL S.A.S. (HABITEL HOTELS) Y SU MARCA COMERCIAL SALVIO, emite la presente certificaci6n, como garantia de su compromise en la lucha de prevenci6n y control del Lavado de Actives, Financiaci6n al Terrorismo, corrupci6n y Financiaci6n de la Proliferaci6n de Armas de Destrucci6n Masiva.

Como parte de las mejores practicas empresariales, responsabilidad social y en cumplimiento de la normatividad, la Entidad ha adoptado un Sistema de Autocontrol y Gesti6n del Riesgo Integral del Lavado de Actives, Financiaci6n al Terrorismo y Financiaci6n de la Proliferaci6n de Armas de Destrucci6n Masiva en adelante SAGRILAFT, que contempla el cumplimiento de lo establecido en la Circular Basica Juridica 100-000005 de 2015, actualizada por medio de la Circular Externa 100-000016 de la Superintendencia de Sociedades del 24 de Diciembre de 2020 , Capitulo X Autocontrol y Gesti6n del Riesgo de LA/FT y Reporte obligatorio de la lnformaci6n a la UIAF, las recomendaciones y mejores practicas nacionales e internacionales en esta materia; y ii) Etica Empresarial y Soborno Transnacional, en cumplimiento de la Ley 1778 de 2016, articulo 23, Circular Externa100- 000003 de 2016, Programas de Etica Empresarial. Asi mismo, este sistema hace parte de la cultura organizacional y de calidad mediante la adopci6n de polfticas, procedimientos y controles como un sistema de gesti6n integral orientado a la debida diligencia para vinculaci6n y mantenimiento de contrapartes, monitoreo de operaciones, capacitaci6n al personal, seguimiento del perfil del riesgo de la Entidad, identificaci6n de actos y comportamientos ilicitos, de operaciones inusuales a partir de seriales de alerta y reportes de operaciones sospechosas a la autoridad competente (UIAF), afianzando la transparencia, credibilidad y confianza en todas sus relaciones con sus contrapartes, mediante el comportamiento etico de todo su personal..

Estas actuaciones se encuentran centralizadas y reglamentadas desde la Unidad de Cumplimiento que reporta directamente al Representante Legal de la Empresa, bajo los principios de unidad de prop6sito, direcc6i n y aseguramiento ; fundamentados en los pilares de autogesti6n y autocontro,l establecidos en el Manual SAGRILAFT y el C6digo de Etica, aprobados por la Junta Directiva y que se traducen como principios y normas de conducta de prevenci6n y control para el cumplimiento obligatorio por todos los funcionarios de la Entidad, blindando a HABITEL HOTELS como a sus contrapartes de ser utilizados para dar apariencia de legalidad a actives provenientes de actividades delictivas, para la canalizaci6n de recurses hacia la realizaci6n de actividades terroristas o de conductas irregulares que pongan en riesgo la buena imagen de la empresa en la realizaci6n de sus operaciones.

Cualquier informaci6n adicional puede contactarse al correo unidaddecumplimiento@lemco.co, ocomunicarse al 4256000, ext. 728 o 748.