Legal Notice HOTEL DON SAUL

FIRST: GENERAL PROVISIONS

We have a special interest in protecting and respecting your personal information and data, which is why we have designed these information processing policies within the framework of Law 1581 of 2012 and Regulatory Decree 1377 of 2013.

1.1.- Introduction.

HOTEL DON SAUL and the companies operating it may collect personal data from their users, guests, or visitors through various means intended for accessing their services. In any case, the collection will be done with the express authorization of the data owner, and the processing will be subject to the provisions of the law.

The personal information subject to the considerations established here may be collected by HOTEL DON SAUL through the website www.hoteldonsaul.com, through visiting or acquiring services offered on the platform, or directly at hotels affiliated or associated with HOTEL DON SAUL.

The considerations established here will be deemed accepted by the Information Owner when they visit or use the website www.hoteldonsaul.com and/or when personal data or information is entered through the functions established for this purpose, regardless of the intended purpose.

1.2- General principles.

The obtaining and collection of personal data, as well as the use, processing, exchange, transfer, and transmission of such data by HOTEL DON SAUL or any of the operating companies of HOTEL DON SAUL, will always be guided by principles of legality, freedom, truthfulness, transparency, security, confidentiality, and the principle of restricted access and circulation.

1.3- Legal definitions.

In accordance with Law 1581 of 2012 and Decree 1377 of 2013, the following definitions will govern the personal information processing policies.

1.3.1.- Data Processor: The Data Processor is the natural or legal person, public or private, who, alone or in association with others, carries out the processing of personal data on behalf of the Data Controller.

1.3.2.- Data Controller: The Data Controller is the natural or legal person, public or private, who, alone or in association with others, decides on the databases and/or the processing of the data.

1.3.3.- Database: A database is understood as the organized set of personal data that is subject to processing.

1.3.4.- Personal data: Personal data is any information linked or that can be associated with one or more determined or determinable natural persons.

1.3.5.- Sensitive data: Sensitive data is understood as data that affects the privacy of the data subject or whose improper use can lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social, human rights organizations or that promotes interests of any political party or guarantees the rights and guarantees of opposition political parties, as well as health-related data, sexual life, and biometric data.

1.3.6.- Public data: Public data is data that is not semi-private, private, or sensitive. Among others, public data includes data related to the civil status of individuals, profession or occupation, and their status as a merchant or public servant. By nature, public data may be contained, among others, in public records, public documents, gazettes, and bulletins and judicially executed judgments that are not subject to reservation.

1.3.7.- Transfer: Data transfer occurs when the Data Controller and/or Data Processor of personal data, located in Colombia, sends the information or personal data to a recipient, who is also a Data Controller and is located either inside or outside the country.

1.3.8- Transmission: Personal data processing that involves the communication of the same within or outside the territory of the Republic of Colombia when the purpose is for processing by the Processor on behalf of the Controller.

SECOND: AUTHORIZATION OF THE DATA SUBJECT:

The supplied data will be subject to authorized processing, granted in a previous, express, and informed manner by the data subject directly to HOTEL DON SAUL or through the companies operating them.

However, visiting, entering, or using the website www.hoteldonsaul.com, in itself constitutes prior, express, and informed authorization of the storage, collection, and processing of information in accordance with the data processing policy contained herein.

In any case, data collection will be limited to those personal data that are pertinent and adequate for the purpose pursued with this.

THIRD: INFORMATION PROCESSING:

3.1- Collected Data. The collection of data for the development of the processing and purposes pursued by it will fall on the personal data received and stored by HOTEL DON SAUL and the affiliated or associated companies and hotels, and will include all the information provided during visits to the website www.hoteldonsaul.com, as well as all information related to services or bookings made, and lodging and accommodation data provided to HOTEL DON SAUL or any of the associated hotels.

Regardless of whether in some cases it involves public data, the information collected will pertain to the name, citizenship ID number, profession, nationality, date of birth, email address, personal preferences and interests, job or activity, consumption habits, travel habits, among others. If a booking is made through the website www.hoteldonsaul.com, the corresponding credit card information provided for the reservation and stay will be collected.

3.2- Processing to which the data will be subjected and its purpose.

The data and information obtained and collected by HOTEL DON SAUL and the operating companies of such hotels will be used in the normal course of their commercial activities solely for the purpose established in these data processing policies, in order to allow for the creation of a direct and effective communication with the customer, leading to the establishment of a closer relationship.

Processing consists of sending digital information through different communication channels, with the intention of contacting the owner to send service surveys after each stay that allow for the rating of the provided service, and to communicate invitations, offers, promotions, service portfolio, or hotel information of HOTEL DON SAUL or the hotels that are part of HOTEL DON SAUL, without at any time being facilitated, assigned, or delivered to people other than or unrelated to the HOTEL DON SAUL that collected the information, or hotels and activities related to HOTEL DON SAUL and the activities it develops. Additionally, the purpose of data collection is to: carry out, process, and complete bookings or purchases of hotel nights or other services; perform internal studies on tourism habits; assess the quality of our services; send surveys and questionnaires regarding the provided services; respond timely to requests, petitions or needs; communicate invitations, offers, promotions, and general information about the service portfolio offered by natural or legal persons directly linked to hotel operations and specifically with the services provided by HOTEL DON SAUL or its affiliated companies and hotels.

The information or data provided that is collected or stored in accordance with these policies can be shared, transmitted, updated, and/or deleted among HOTEL DON SAUL and its operating companies for the purposes defined in these policies, to be used in the manner established herein. By accessing the website www.hoteldonsaul.com, you authorize your information and data to be shared with tourism providers to whom reservations and/or requests refer.

It is assumed that all information or data provided or deposited through the website www.hoteldonsaul.com is true, accurate, and complete, and it can be withdrawn at any time if it is deemed harmful to your interests or those of a third party.

The data and information received when accessing the website www.hoteldonsaul.com may pertain to you and the device from which you are accessing. To optimize and make your experience more efficient when visiting the website www.hoteldonsaul.com, cookies and/or web beacons may be used, as well as obtaining and storing information on your internet browsing activities, IP address, operating system of the device from which you are accessing, through a recognition and tracking process that allows for identifying your preferences and identifying you when you visit again and storing certain records, based on your IP address. The IP address is not associated or linked to your name or personal data.

3.3.- Sensitive data and data regarding children and adolescents. Neither HOTEL DON SAUL nor its operating companies will process data considered sensitive, nor is the data collection oriented toward gathering sensitive information.

The collection of data regarding minors and adolescents and the respective authorization must always be given through their legal representative, upon the minor’s exercising of their right to be heard.

The processing of data related to children and adolescents must respond to and respect the best interests of children and adolescents and their fundamental rights.

In the event that for any reason a question may lead to a response about sensitive data or data of children and adolescents, answering such question will be discretionary.

3.4.- Duties of the data processing controller.

The data controllers, and/or data processing controllers and data processors, are required to: a) Guarantee to the Data Subject at all times the full and effective exercise of the habeas data right; b) Request and keep, under the conditions established by law, a copy of the respective authorization granted by the Data Subject; c) Inform the Data Subject appropriately about the purpose of the data collection and the rights granted to them by virtue of the granted authorization; d) Maintain the information under the necessary security conditions to prevent its adulteration, loss, unauthorized or fraudulent consultation, use, or access; e) Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable, and understandable; f) Update the information, timely communicating to the Data Processor all updates on the data previously provided and adopting the necessary measures to keep the data provided to them updated; g) Rectify the information when it is incorrect and communicate the necessary changes to the Data Processor; h) Supply the Data Processor, as the case may be, only data whose Processing is previously authorized in accordance with the provisions of the present law; i) Require the Data Processor at all times to respect the conditions of security and privacy of the Data Subject’s information; j) Handle consultations and claims filed according to the terms established by law; k) Inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been submitted and the respective process has not been completed; l) Inform, at the Data Subject’s request, about the use given to their data; m) Inform the data protection authority when there are security code violations and risks in the management of data subjects’ information; n) Fulfill the instructions and requirements issued by the Superintendence of Industry and Commerce.

FOURTH: IMPLEMENTATION OF PROCEDURES TO GUARANTEE THE RIGHT TO FILE CLAIMS.

At any time and free of charge, the Data Subject or their representative may request HOTEL DON SAUL to rectify, update, or delete their personal data, upon accreditation of their identity. The rights of rectification, update, or deletion can only be exercised by:

• The Data Subject or their heirs, upon accreditation of their identity, or through electronic means that allow for identification.
  • Their representative, upon accreditation of representation. When the request is made by a person other than the Data Subject and it is not proven that the person acts on behalf of the Data Subject, it will be considered as not presented. The request for rectification, update, or deletion must be submitted through the means enabled by HOTEL DON SAUL as stated in the privacy notice and must contain at least the following information:

1. The name and address of the Data Subject or any other means to receive a response.
   2. Documents accrediting the identity or the representation of their representative.
   3. A clear and precise description of the personal data that the Data Subject seeks to exercise any of the rights over.
   4. If applicable, other elements or documents that facilitate the localization of personal data.

PARAGRAPH 1. RECTIFICATION AND UPDATING OF DATA. HOTEL DON SAUL. is obligated to rectify and update, at the request of the Data Subject, their information that is incomplete or inaccurate, in accordance with the procedure and terms outlined above. The following should be considered regarding this: In requests for rectification and updating of personal data, the Data Subject must specify the corrections to be made and provide documents supporting their request.

HOTEL DON SAUL. is fully free to enable mechanisms that facilitate this right, provided they benefit the Data Subject. Consequently, electronic or other considered pertinent means may be enabled.

HOTEL DON SAUL. May establish forms, systems, and other simplified methods, which must be informed in the privacy notice and made available to interested parties on the website www.hoteldonsaul.com.

HOTEL DON SAUL will utilize customer service channels already in operation, provided the response times do not exceed those indicated by Article 15 of Law 1581 of 2012.

Whenever HOTEL DON SAUL. launches a new tool to facilitate the exercise of Data Subjects’ rights or modifies existing ones, it will be announced through its website www.hoteldonsaul.com.

PARAGRAPH 2. DELETION OF DATA. The Data Subject has the right, at any time, to ask HOTEL DON SAUL for the deletion (elimination) of their personal data when:

a.) They consider that the data is not being processed in accordance with the principles, duties, and obligations prescribed in Law 1581 of 2012.
b.) They have ceased to be necessary or pertinent for the purpose for which they were collected.
c.) The necessary period for fulfilling the purposes for which they were collected has elapsed.

This deletion implies the total or partial elimination of the personal information according to the Data Subject’s request in the records, files, databases, or processing carried out by HOTEL DON SAUL. It is important to take into account that the right of cancellation is not absolute and that the entity responsible for the data can deny fulfilling it when:

The request for deletion of the information will not proceed when the Data Subject has a legal or contractual obligation to remain in the database.

• The deletion of data hinders judicial or administrative proceedings related to fiscal obligations, the investigation, and prosecution of crimes, or the imposition of administrative sanctions.
• The data is necessary to protect the Data Subject’s legally protected interests; to fulfill an action based on public interest, or to comply with a legally acquired obligation by the Data Subject.

In the case where the cancellation of personal data is appropriate, HOTEL DON SAUL must operationally execute the deletion so that the elimination does not allow for the recovery of the information.

FIFTH: RIGHTS AND POWERS OF THE DATA SUBJECT:

5.1.– Rights of the Data Subject. Once the authorization has been granted by the Data Subject for the corresponding processing, they have the right to: a) Know, update, and rectify their personal data. This right may be exercised with respect to partial, inaccurate, incomplete, fractioned data, data that may lead to errors, data that is expressly prohibited from being processed or for which no authorization has been granted; b) Request proof of the authorization given, except when it is expressly exempted as a requirement for processing, in accordance with the provisions of Article 10 of Law 1581 of 2012; c) Be informed by the Data Controller and/or Processor regarding the use given to their personal data, upon request; d) File complaints with the Superintendence of Industry and Commerce regarding violations of the provisions of the law; e) Revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights, and guarantees. The revocation and/or deletion proceed when the Superintendence of Industry and Commerce has determined that the processing incurred in conduct contrary to this law and the Constitution; f) Request at any time the Data Controller or Processor to delete their personal data and/or revoke the authorization granted for their processing, by filing a claim. This will not proceed when the Data Subject has a legal or contractual obligation to remain in the database. g) Access their personal data that have been processed freely: (i) at least once each calendar month, and (ii) each time there are substantial modifications to the Information Processing Policies that motivate new consultations. In the case of requests whose frequency is greater than once each calendar month, the Data Controller and/or Processor may charge the Data Subject the costs of shipping, reproduction, and, if applicable, certification of documents.

5.2.- Legitimization for exercising the rights of the Data Subject.

The following individuals are also legitimized to exercise the rights of the information owner: a) The Data Subject themselves, who must sufficiently prove their identity by the means available to them as provided by the responsible party; b) Their heirs, who must prove their legal status; c) The Data Subject’s representative and/or attorney, upon accreditation of representation or empowerment; d) By provision for another or to the benefit of another; e) The rights of children and adolescents will be exercised by the persons authorized to represent them, upon accreditation of the power of representation.

5.3.- Area responsible for the service and support to the Data Subject.

The attention and response to inquiries, requests, and claims from the Data Subjects regarding any aspect of the processing will be handled by the legal department. The Data Subject who wishes to know, update, rectify, request proof of authorization granted; to be informed about the use given to their personal data; revoke authorization and/or request the suppression of the data(s) and/or access their personal data that has been processed for free must request it in writing directly to the email eventos@hoteldonsaul.com, or send the communication to Calle 17#23-52 Pasto Nariño Colombia. In either case, it must be specified: a) full name; b) identity document; c) physical and email address; d) contact telephone number; e) Brief statement of the information and data referred to, expressly indicating the scope and content of the request; and, f) include the supporting documents for their request.

5.4.- Procedure to exercise the rights to know, update, rectify or delete information and revoke authorization.

Procedures for accessing, updating, deleting and rectifying personal data, and for revoking authorization, may be carried out through inquiries or claims sent to the email address eventos@hoteldonsaul.com or to the address Calle 17#23-52 Pasto Nariño Colombia, depending on their objective, establishing at a minimum, the legitimacy for making the request and clearly and concretely stating what is sought.

All requests, suggestions, and recommendations related to data processing should be sent to the email address eventos@hoteldonsaul.com.

The Data Subject or the authorized person must accompany their written request with proof of their capacity, and must supply the necessary data and documents to account for their identity and status.

The email must specify the purpose or subject of the communication, and for this it will suffice to indicate within the text that the Data Subject is exercising the right to know, update, rectify, delete, or revoke the granted authorization.

5.5.- Procedure for the correction, update, or deletion of data and for filing complaints and claims.

Anyone authorized by law, and who considers that the information contained should be corrected, updated, or deleted; or when they consider that the processing of personal data violates legal norms, may file claims to the email address eventos@hoteldonsaul.com, in accordance with Article 15 of Law 1581 of 2012.

Complaints and claims will be processed under the following rules:

5.5.1.- The claim will be made by submitting a request addressed to the Data Controller or the Data Processor, identifying the Data Subject, describing the facts giving rise to the claim, and providing the address, accompanied by the documents to be submitted. If the claim is incomplete, the interested party will be requested to correct the deficiencies within five (5) working days following receipt of the claim. If two (2) months elapse from the date of request without the applicant presenting the required information, it will be understood that they have withdrawn the claim.

If the recipient of the claim does not have jurisdiction to resolve it, they will forward it to the appropriate party within a maximum term of two (2) working days and inform the interested party of the situation.

5.5.2.- Upon receiving the complete claim, a legend indicating “claim in process” and its reason will be included in the database, within no more than two (2) working days. Such a legend must be maintained until the claim is resolved.

5.5.3.- The maximum term for responding to a claim will be fifteen (15) working days from the day after it is received. When it is not possible to resolve the claim within that term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed. This date cannot exceed eight (8) working days beyond the expiration of the initial term.

5.6.- Consultation and access to information.

Consultations on personal data contained in the database of HOTEL DON SAUL or any of the operating companies of HOTEL DON SAUL will be addressed by written request through the email address eventos@hoteldonsaul.com.

Consultations will be addressed within a maximum term of fifteen (15) working days from the date of receipt. When it is not possible to respond to the consultation within that term, the interested party will be informed before the expiration of fifteen (15) working days, stating the reasons for the delay and indicating the date on which the consultation will be resolved, which in no case may exceed five (5) working days beyond the expiration of the first term.

SIXTH: SECURITY.

6.1.- Security in information management.

The collected data will always be treated within a framework of confidentiality, so they will not be facilitated, assigned, or given to people other than or unrelated to HOTEL DON SAUL, to operating companies, or those with legitimate authority for it.

6.2.- Transfer and transmission of data.

When a contract is signed with a third party professional and experienced in handling and using databases, the responsible party will sign the personal data transmission contract referred to in Article 25 of Decree 1377 of 2013.

SEVENTH: DISSEMINATION AND VALIDITY.

7.1.- Means of disseminating information processing policies and the privacy notice.

This document, establishing the policy for processing personal data collected, will be permanently published on the link _https://www.hoteldonsaul.com/es/informacion-legal

processing of information_ so that it can be consulted by anyone interested.

When requesting the express authorization of the Data Subject for data processing, they will be informed of the specific purposes for which consent is obtained, and made aware of the Processing Policy and the rights they have as a Data Subject.

7.2.- Entry into force of data processing policies.

The collection, storage, use, and circulation of personal data, in line with the considerations established here, will be conducted and maintained while the necessity for direct communication with the customer persists and there are no more efficient ways to do so, as per the purposes proposed by the data processing. If the end cannot be achieved through Processing of personal data, they will be permanently deleted from the database.

This document comes into effect on January 1, 2018.

7.3.- Procedure for events of modifications to the policies.

If modifications to the personal data processing policies established here are made, they will be notified and communicated through this same webpage, prior to their enactment.

7.4.- Incorporation of the conditions of use of the website www.hoteldonsaul.com.

In accordance with applicable regulations, the information processing policy is an integral part of the terms and conditions of use of the website www.hoteldonsaul.com.

7.5. – Data Controller.

EIGHTH: LAW ON COMMERCIAL SEXUAL EXPLOITATION OF CHILDREN AND ADOLESCENTS (CSEC)

In compliance with the provisions of Article 17 of Law 679 of 2001, HOTEL DON SAUL warns tourists that the exploitation and sexual abuse of minors in COLOMBIA are criminally and administratively sanctioned, in accordance with the laws in force.

Law 1336 of 2009. Against exploitation, pornography, sexual tourism, and other forms of abuse of minors. – Law 1098 of 2006 of child labor exploitation Código del Menor. – Law 1482 of 2011, amended by Law 1752 of 2015, equality of race or gender – Law 397 of 1997. Against Cultural Heritage trafficking. – Law 599 of 2000 and Decree 1608 of 1978. Against trafficking of species such as wildlife and flora. – Law 1335 of 2009. Anti tobacco law, for a smoke-free environment – Decree 1377 of 2013 concerning the management of the confidentiality of data provided to the company (Privacy and Data Protection Policy). Of child labor exploitation Código del Menor (Law 1098 of 2006) equality of race or gender (Law 1482 of 2011, amended by Law 1752 of 2015), we invite you to participate in our commitment to environmental sustainability through efficient use of water and energy, as well as comprehensive management of solid waste and commitment to its reduction, reuse, and recycling.

IYAD HUSIEN IBRAHIM, with NIT 12978490-7, acts as the responsible party and in charge of personal data processing, along with each of the affiliated operating companies that have collected the information. When the information has been received or collected by one of its affiliated companies, with express authorization for transfer, IYAD HUSIEN IBRAHIM will be responsible for the processing.

Any communication may be directed to Calle 17#23-52 PASTO NARIÑO COLOMBIA, or to the email address eventos@hoteldonsaul.com.