1. OBJECTIVE

Define the conditions for the treatment and privacy of personal data, in compliance with current legislation on the protection of personal data, in accordance with Law 1581 of 2012 (and other rules that modify, add, supplement or develop it) and those Decrees that regulate it.

Protect the personal and sensitive data of employees, customers and suppliers, providing tools that guarantee the authenticity, reliability and integrity of the information.

2. SCOPE

This policy applies to any data or information that is subject to processing (collection, use or transfer), coming from any natural or legal person, by virtue of a commercial or legal (contractual) relationship, directly linked to American Smart Systems & Networks LTDA. – AS-NET.

3. DEFINITIONS

For the interpretation of this Policy, the following definitions are used:

o Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of personal data1.

o Privacy Notice o Authorization for the Processing of Personal Data : Verbal or written communication generated by the responsible party, addressed to the Data Subject for the Processing of his/her personal data, by means of which he/she is informed about the existence of the information processing policies that will be applicable, the way to access them and the purposes of the Processing that is intended to be given to the personal data.

o Database: Organized set of personal data that is subject to processing.
o Personal data: Any information linked or that can be associated to one or more of the following: o Personal data: Any information linked or that can be associated to one or more

determined or determinable natural persons.

o Public data: Data that is not semi-private, private or sensitive. Data relating to the marital status of individuals, their profession or occupation, among others, are considered public data. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and duly executed court rulings that are not subject to confidentiality.

o Sensitive data: o Sensitive data: Data that  affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, orientation or interests of any political party, religious or philosophical convictions, membership in trade unions, social or human rights organizations, as well as data relating to health, sex life, and biometric data.

1 Law 1581 of 2012 Personal Data Protection. Article 3

o Data Processor: Natural or legal person, public or private, who by itself or in association with others, carries out the Processing of personal data on behalf of AS-NET as data controller.

o Processing Policy: It refers to the present document, as the personal data processing policy applied by AS-NET in accordance with the guidelines of the legislation in force on the matter.

o Supplier: Any natural or legal person that provides any service to AS-NET by virtue of a contractual/obligational relationship.

o Data Controller: Natural or legal person, public or private, who by itself or in association with others, decides on the database and/or the processing of the data, for the purposes of this policy, AS-NET shall act as data controller, in principle. In accordance with Ruling C-748 of 2011, it is “the one that defines the essential purposes and means for the processing of the data, including those who act as source and User”. Being able to put the data into circulation or use it in a certain way.

o Data Subject: Natural person whose personal data is the object of Processing, whether client, supplier, employee, or any third party who, due to a commercial or legal relationship, provides personal data to AS-NET.

o Worker/Employee: Any natural person who renders a service to AS-NET by virtue of a labor contract.

o Transfer: The transfer of data takes place when AS-NET as responsible and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient (natural person/legal entity), which in turn is the Data Controller and is located inside or outside the country.

o Transmission: Refers to the communication of personal data by the controller to the Processor, located inside or outside the national territory, so that the Processor, on behalf of the controller, processes personal data.

o Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

For the understanding of the terms that are not included in the above list, you should refer to the legislation in force, especially to Law 1581 of 2012 and Decree 1377 of 2013, giving the meaning used in said regulation to the terms whose definition is in doubt.

4. POLICIES

In order to comply with current legislation on data protection, especially Law 1581 of 2012 (and other regulations that modify, add, supplement or develop it) and Decree 1377 of 2013, the most relevant aspects related to the collection, use and transfer of personal data will be addressed below. AS-NET, by virtue of the authorization granted by its stakeholders to carry out the management and treatment.

In this privacy and personal data treatment policy you will find the corporate and legal guidelines under which AS-NET carries out the data treatment, the purpose, your rights as owner, as well as the internal and external procedures for the exercise of such rights.

In accordance with the provisions of Article 15 of the Political Constitution of Colombia and the applicable legislation (Law 1266 of 2008, Law 1581 of 2012, Decree 1377 of 2013 and all those rules that regulate, add, repeal or modify them).

1. Customers, Employees and/or Suppliers will voluntarily provide personal data, by means of their prior, express and informed consent, by filling out the following form F- Authorization for Processing of Personal Data_SIF-04 or that which AS-NETto that end, and as appropriate, authorizing AS-NET for the collection, storage, use and transfer of Personal Data. The personal data of third parties that have a commercial or legal relationship with AS-NET, may not be obtained or disclosed without prior authorization, or in the absence of legal, statutory or judicial mandate that relieves the consent.
2. The information subject to Personal Data Processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.
3. In the processing of personal data, AS-NET shall guarantee the Data Subject the right to obtain at any time and without restrictions, information about the existence of any type of information or personal data that may be of interest or ownership.
4. The information subject to treatment by AS-NET shall be handled with the necessary technical and administrative measures to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
5. All AS-NET employeesThe Company, who administer, manage, update or have access to information of any kind that is in databases, are obliged to guarantee the confidentiality of the information, and therefore undertake to keep and maintain strictly confidential and not disclose to third parties, all the information that they come to know in the execution and exercise of their functions, except in the case of activities expressly authorized by the data protection law. This obligation persists and shall continue even after the end of your employment with AS-NET.
6. AS-NET by means of the G-Privacy Notice_SIG-02 and using the format F-Personal Data Processing Authorization_SIF-04 inform the holder of the personal data about the existence of such policies and how to access them in a timely manner, as well as the purpose of the collection of their personal data.

4.1. TYPE OF INFORMATION SUBJECT TO PROCESSING

AS-NET recognizes that its employees, shareholders and members of the Board of Directors are entitled to a reasonable expectation of privacy, taking into account their responsibilities, rights and obligations to AS-NET.

By virtue of the relationship established between you and AS-NET, AS-NET collects, stores, uses and transfers personal data to companies located inside and outside Colombia. Such personal data and information includes but is not limited to:

1. 1)  Of the Candidates:
   1. Name, identification, address, telephone, date of birth, education information.
   2. Resume, education, experience, links with entities, links with companies.
2. 2)  From Customers:
   1. Client’s name or company name, identification number or NIT with verification digit, place of domicile, address, telephone numbers, fax, e-mail;
   2. Name of general manager or legal representative and address, telephone, fax, e-mail;
   3. Name of the person assigned to collect the portfolio, e-mail address;
   4. Tax information;
   5. Bank information including bank account holder’s name, bank account number, bank account number, and bank account number.

bank account and bank name or code.

1. 3)  From Suppliers:
   1. Supplier’s name or company name, identification number or NIT with verification digit, place of domicile, address, telephones, fax, e-mail;
   2. Name of the general manager or legal representative and address, telephone, fax, e-mail;
   3. Name of sales manager, address, telephone, fax, e-mail;
   4. Name of the person assigned to collect the portfolio, e-mail address;
   5. Tax information;
   6. Bank information including bank account holder’s name, bank account number, bank account number, and bank account number.

bank account and bank name or code.

4) Employees:

1. Worker and Family Group: name, identification, address, telephone, spouse’s name and identification, children’s name and identification, social security affiliations, medical policy, age, date of birth, education information, health status, medical authorizations, participation in recreational activities and sports;
2. Resume, education, experience, links with entities, links with companies;

1. Salary and other payments;

1. Balance of debts contracted with AS-NET or drawee;
2. Affiliations with payroll deduction;
3. Pension contributions;
4. Constitution and contributions to voluntary pension funds, food bonds, etc.
5. Legal proceedings, seizure;
6. Discount authorizations;
7. Benefits throughout your working life;
8. Employment contract;
9. Changes in the employment contract;
10. Relationship with previous employers;
11. Work history of the worker;
12. Payment of assistance and benefits;
13. Beneficiaries of the employee for the purpose of payment of benefits and allowances;
14. EPS affiliation, pension fund, ARL, compensation fund;
15. Training received;
16. Psychological evaluation report;
17. Detail of the characterization;
18. Worker demographics report;
19. Occupational medical history of the worker;
20. Occupational accidents;
21. Overtime;
22. Entry and exit of AS-NET facilities;
23. Photographic record;
24. Annual competency assessment;

AS-NET shall guarantee the conservation and custody of physical files of occupational medical records (entry, periodic and exit), resumes and supports, for a minimum period of twenty (20) years, counted from the moment when the employee’s labor relationship with the company ceases. Once this period has expired, all confidential documents will be destroyed by means of a cross-cut paper shredder.

5) Sensitive data

Sensitive data are those data that affect the privacy of the holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties as well as data relating to health, sex life and biometric data. AS-NET shall restrict the processing of sensitive personal data to what is strictly necessary and shall request prior and express consent on the purpose of its processing.

4.2. USE AND PURPOSE OF THE TREATMENT

Personal data may be used for:

1. Execution of the contract signed with AS-NET, as client, supplier and/or collaborator.
2. Payment of contractual obligations.
3. Sending information to governmental or judicial entities at their express request.
4. Support in external/internal audit processes.
5. Sending/receiving messages for commercial, advertising and/or customer service purposes.
6. Registration of the information of candidates, clients, employees and/or suppliers in the Company’s databases.
7. Contact with candidates, clients, employees or suppliers to send information related to the contractual, commercial or obligatory relationship that takes place.
8. Fulfillment of the duties that AS-NET has as responsible for the information and personal data.
9. For security or fraud prevention purposes.
10. To provide you with effective customer service.
11. Any other purpose resulting from the development of the contract or the relationship between the owner of the data and AS-NET.

If you provide us with Personal Data, this information will be used only for the purposes stated herein, and we will not sell, license, transmit, or disclose it outside of AS-NET unless (i) you expressly authorize us to do so, (ii) is necessary to enable our contractors to perform the services we have engaged them to perform, (iii) in order to provide you with our products or services, (iv) is disclosed to entities that perform marketing services on our behalf or to other entities with which we have joint marketing agreements, (v) is in connection with a merger, consolidation, acquisition, divestiture or other restructuring process; or (vi) as required or permitted by law.

In order to implement the purposes described above, personal data may be disclosed for the purposes set forth above to the Human Resources area, the Chief Administrative Officer (CAO), consultants, advisors and other persons and offices as appropriate.

AS-NET may subcontract to third parties for the processing of certain functions or information. Where we do outsource the processing of your personal information to third parties or provide your personal information to third party service providers, we advise such third parties of the need to protect such personal information with appropriate security measures, prohibit them from using your personal information for their own purposes and prevent them from disclosing your personal information to others.

Likewise AS-NET may transfer or transmit (as appropriate) your personal data to other companies abroad for reasons of security, administrative efficiency and better service, in accordance with the authorizations of each of these persons, has taken the necessary measures for those companies to implement in their jurisdiction and according to the laws applicable to them, standards of security and protection of personal data even similar to those provided for in this document and in general in the policy of AS-NET on the subject. In the case of transfer of personal data, the appropriate transfer contract shall be signed in accordance with the terms of Decree 1377/13.

Additionally, once the need for data processing ceases, the data may be deleted from AS-NET ‘s databases or archived in secure terms so that they may only be disclosed when required by law. Such data will not be deleted despite the holder’s request, when the conservation of such data is necessary for the fulfillment of an obligation or contract.

4.2.1. TREATMENT OF SENSITIVE PERSONAL DATA

Data classified as sensitive may be used and processed when:

• The Data Subject has given his or her explicit authorization to such processing, except in those cases in which, by law, the granting of such authorization is not required.
• The processing is necessary to safeguard the vital interests of the Data Subject and the Data Subject is physically or legally incapacitated. In these events, the legal representatives must give their authorization.
• The processing refers to data that are necessary for the recognition, exercise or defense of a right in a judicial proceeding.
• The treatment has a historical, statistical or scientific purpose, or within the framework of improvement processes, as long as the measures leading to the suppression of the identity of the owners are adopted.

4.2.2. PERSONAL DATA OF CHILDREN OR ADOLESCENTS

Minors are holders of their personal data and therefore bearers of the corresponding rights. In accordance with the provisions of the Political Constitution and in accordance with the Code of Children and Adolescents, the rights of minors must be interpreted and applied in a prevalent manner, therefore, they must be observed with special care. As stated in Ruling C-748 of 2011, the opinions of minors must be taken into account when processing their data.

AS-NET is therefore committed, in the processing of personal data, to respect the prevailing rights of minors. The processing of personal data of minors is prohibited, except for data of a public nature.

4.3. RIGHTS OF THE HOLDER

Pursuant to Article 8 of Law 1581 of 2012, the rights that you as the holder have in relation to your personal data are:

1. To know, update and rectify the personal data before the person in charge of the Treatment or those in charge of the Treatment. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized;
2. Request proof of the authorization granted to AS-NET as the data controller, except when expressly exempted as a requirement for the Processing;

1. Be informed by AS-NET, as Data Controller or by the Data Processor, upon request, regarding the use that has been made of their personal data;

1. File complaints before the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add or complement it;
2. To revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights and guarantees;
3. Access free of charge to personal data that have been subject to Processing.

4.4. ASSIGNMENT OF RESPONSIBILITIES AND AUTHORIZATIONS IN THE PROCESSING OF PERSONAL INFORMATION

4.4.1. DUTIES AS DATA CONTROLLER

1. AS-NET shall keep the authorizations granted by the Holders in the following areas:

o HumanManagement:ARCHIVES-CARPETETADECADACOLABORATOR.

o Sales/Commercial:ARCHIVE-CARPETADECADECADACLIENTE.

o Purchases:ARCHIVE-CARPETADECADECADAPROVIDER.

1. AS-NET will inform about the purpose of the collection, in the text used to obtain the authorization. The Data Subject will always know the type of treatment that will be given to his/her data, if they are going to circulate or be shared with related entities, or with commercial allies, with what purpose or purposes and the way to express his/her will in relation to the scope of the treatment.
2. AS-NET shall inform that the use it makes of the data is the one corresponding to the development of its contractual relations established with customers and users, as well as it shall indicate that it may use the personal data provided for the development of statistical and fraud prevention tools.
3. The areas in charge of processing employee, customer and supplier information must ensure that the information provided is truthful, complete, accurate, updated and understandable. In addition, it is their duty to verify that the terms of delivery of the information are complied with and to establish efficient data validation mechanisms, in order to ensure that the updated use of the information is available at all times. It is important to note at this point that the effective collaboration of the Data Controllers with respect to the updating of their information, in the data that are known in the first instance by them, will be essential for the optimal fulfillment of this duty to inform the Data Controller about all the news regarding the data that have been provided to him/her. The following formats are available for this purpose:

o HumanManagement: F-FormDataUpdate_GHF-33

o Sales/Commercial: Customer and contract databases.

o Purchasing:F-Supplier Registration_F-04

5. AS-NET must restrict access to the personal data of employees, customers and suppliers, contained in databases (Excel, SQL, database type, among others) by protecting password-protected files. The positions responsible for protecting these files are defined below:

Human Resources Director: Collaborators database.

Customer Service Leader-Customer Service Analyst Sales Administration Billing/Contracts: Customer Database.

Chief Administrative Officer (CAO): Supplier database.

4.4.2. DUTIES AS DATA PROCESSOR

There shall be efficient channels that allow the updates of the information made by the responsible person to be received and processed within the term of five (5) working days provided for by the Law. These will be referred to an e-mail and telephone contact generated from the competent Area.

Access to the information shall be allowed only to those persons authorized by law to do so. For these purposes, the requirements to be met by the Judicial and Administrative Authorities requesting this type of information shall be clearly established, which shall refer to the clear identification of the functions by virtue of which the request is made; as well as those to be met by the Holders, attorneys-in-fact or assignees, in particular the manner of accrediting their capacity and the required supports.

It has been established that, in the contracts entered into with the persons in charge, clauses should be included that clearly establish their duty to guarantee the security and privacy of the data subject’s information.
AS-NET must restrict access to the personal data of employees, customers and suppliers, contained in databases (Excel, SQL, database type, among others) by protecting password-protected files. The positions responsible for protecting these files are defined below:

o Human Resources Director: Collaborators database.
o Customer Service Leader – Treasury and Billing Leader and Contract Analyst: Customer Database.
o Chief Administrative Officer (CAO): Supplier database.

4.5. PROCEDURE FOR EXERCISING YOUR RIGHTS AS OWNER

AS-NET guarantees the exercise of all rights as owner of the personal data. If you have any questions about this Policy, or any concerns or complaints, or in the event of a complaint, rectification, update, consultation, or request for access or removal of data, or with regard to

to the administration of the Policy, communicate through any of the following means, together with the form F-Request for Exercising the Rights of the Personal Data Subject_SIF-48:

• Contact: Ayda Castro Suárez – AS-NET Personal Data Officer.
• Telephone: (57-1) 5801800 Ext.1059
• E-mail: sgsi@asnet-multisite.local/en
• Address: Carrera 49a No. 91-31 La Castellana. Bogotá, D.C. Colombia.

Once you inform the responsible area within AS-NET, depending on which of them your request is addressed to, the consultation, update, revocation or deletion will be processed, taking into account the provisions of the procedure P-Exercise of the rights of the holder of personal data_SIP-17.

4.6. MODIFICATION OF THIS POLICY

• This Policy is effective as of its approval by AS-NET ‘s CEO and its updating shall depend on the instructions of the Information Security Committee, in accordance with the guidelines of the same committee and the CEO.
• The approved version of this Policy shall be published on the Intranet and on AS-NET‘s website.
• It is the duty of all interested parties to be aware of this Policy and to perform all acts conducive to its compliance, implementation and maintenance.
• This policy will be updated at least once a year at least once a year o when changes to the ISMS are significant and have an impact on it , o when Information Security incidents occur that require updating or that affect personal data. incidents that warrant updating or that affect personal data.

5. REFERENCE DOCUMENTS

• Political Constitution of Colombia
• Statutory Law 1581 of 2012 – Protection of Personal Data
• Statutory Law 1266 of 2008 – General provisions on habeas data that regulates the handling of information contained in personal databases, especially financial, credit, commercial and service information, as well as information from third countries, and other provisions.
• Decree 1074 of May 26, 2015 – Sole Regulatory Decree of the Commerce, Industry and Tourism Sector.
• Decree 1377 of 2013 – Partially regulates Law 1581 of 2012 Formats

F-Form Data Update Form_GHF-33
F-Supplier Registration_CF-04
F-Personal Data Processing Authorization_SIF-04