EN
Manage your booking at MuchoSur DelSur Rewards Contact Book now
Book now
EN
Contact
Manage your booking at MuchoSur DelSur Rewards
Book now
“The tip of America, from now on, extending, insistently points to the South, our north.”
Joaquín Torres García
MuchoSur © 2026. Developed by GNAHS

MuchoSur's legal warning

Data protection policy

The information processing policy is developed in compliance with Articles 15 and 20 of the Political Constitution, as well as Articles 17, letter k) and 18, letter f) of Statutory Law 1581 of 2012, which establishes general provisions for the Protection of Personal Data (LEPD). Additionally, in compliance with Article 2.2.2.25.1.1, Section 1, Chapter 25 of Decree 1074 of 2015, which partially regulates Law 1581 of 2012.

This policy will apply to all personal data recorded in databases that are processed by the data controller.


1. OBJECTIVE AND SCOPE

Describe the guidelines for the processing of Personal Data, taking into account the provisions of Law 1581 of 2012, Decree 1377 of 2013, Decree 886 of 2014, incorporated into Single Decree 1074 of 2015, and other regulations that expand, modify, or replace the regulations on the matter.

This document will apply to all personal data or any other type of information used or stored in MuchoSur's databases and files, respecting the criteria for obtaining, collecting, using, processing, sharing, transferring, and transmitting personal data, and establishing MuchoSur's obligations and guidelines for the administration and processing of personal data stored in its databases and files. This Manual is applicable to MuchoSur's processes that must process data (public data, semi-private data, private data, sensitive data, data of children and adolescents), as both the controller and the processor.


2. DEFINITIONS

For the purposes of applying the rules contained in this policy, and in accordance with the provisions of Article 3 of Law 1581 of 2012, the following are understood as:

● Authorization: Prior, express, and informed consent of the Data Subject to carry out the processing of personal data. Authorization will be deemed to meet these requirements when expressed (i) in writing, (ii) orally, or (iii) through unequivocal conduct by the Data Subject that reasonably allows us to conclude that authorization has been granted. Under no circumstances may silence be equated with unequivocal conduct.

● Privacy Notice: Verbal or written communication generated by the data controller addressed to the Data Subject for the processing of their personal data, through which they are informed of the existence of the information processing policies that will be applicable to them, how to access them, and the purposes of the processing intended for their personal data.

● Database: An organized set of Personal Data that is subject to Processing, belonging to the same context and systematically stored for later use.

● Personal data: Any information linked to or that can be associated with one or more specific or identifiable natural persons. This data is classified as public, semi-private, private, and sensitive:

● Public data: Data that is not semi-private, private, or sensitive. Public data includes, among others, data relating to a person's marital status, their profession, and their status as a merchant or public servant. By its nature, public data may be contained in, among others, public registries, public documents, official gazettes and bulletins, and duly enforceable court rulings that are not subject to confidentiality.

● Semi-private data: This is data that is not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its Owner but also to a certain sector or group of people or to society in general, such as: Databases containing financial, credit, commercial, service information and information from third countries.

● Private data: Data that, due to its intimate or confidential nature, is of interest only to its data subject and requires prior, informed, and express authorization for its processing. This includes databases containing data such as personal telephone numbers and email addresses; employment data; data on administrative or criminal offenses; managed by tax authorities, financial institutions, and management entities and common services of Social Security; databases on financial solvency or credit; databases with sufficient information to assess the data subject's identity; databases of the managers of operators that provide electronic communication services. Sensitive data: Sensitive data is understood to be that which affects the privacy of the Data Subject or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social organizations, human rights organizations, or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data.

● Data Processor: Natural or legal person, public or private, who, by itself or in association with others, carries out the processing of personal data on behalf of the data controller.

● Data controller: A natural or legal person, public or private, who, on their own or in association with others, decides on the database and/or the processing of the data.

●Database Manager: Collaborator in charge of monitoring and coordinating the proper application of data processing policies once stored in a specific database, as well as implementing the guidelines issued by the data controller and the Data Protection Officer.

● Data Protection Officer: This is the natural person who assumes the function of coordinating the implementation of the legal framework for the protection of personal data, who will process requests from Data Subjects for the exercise of the rights referred to in Law 1581 of 2012.

● Transfer: Data transfer occurs when the controller and/or processor of personal data, located in Colombia, sends the information or Personal Data to a recipient, who in turn is the controller of the processing and is located within or outside the country.

● Transmission: Processing of Personal Data that involves communicating such data within or outside the territory of the Republic of Colombia when the purpose of processing it is to be carried out by the Data Controller on behalf of the Controller.

● Owner: Natural person whose Personal Data is subject to Processing.

●Treatment: Any operation or set of operations on Personal Data such as the collection, storage, use, circulation or deletion of this


3. PRINCIPLES

Article 4 of the Personal Data Protection Act (LEPD) establishes principles for the processing of personal data that must be applied in a harmonious and comprehensive manner in the development, interpretation, and application of the Act. The principles established below constitute the general parameters that MuchoSur will adhere to and are as follows:

● Principle of Legality: Data processing is a regulated activity that must comply with the provisions of the LEPD, Decree 1377 of 2013 Compiled in Chapter 25 of Decree 1074 of 2015 and other provisions that develop it.

● Principle of purpose: The processing of Personal Data must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Owner;

● Principle of freedom: Processing may only be carried out with the prior, express, and informed consent of the data subject. Personal Data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial order that waives consent. Data processing requires the prior and informed authorization of the Data Subject by any means that allows for subsequent access.

● Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited;

● Principle of transparency: Data processing must guarantee the Data Subject's right to obtain from the Data Controller or the Data Processor, at any time and without restriction, information about the existence of data concerning them. When requesting authorization from the Data Subject, the Data Controller must clearly and expressly inform them of the following, retaining proof of compliance with this obligation:

The processing to which your data will be subjected and its purpose.

The Data Subject's response to questions regarding sensitive data or data concerning children or adolescents is optional.

The rights that you have as the Owner.

The identification, physical address, email address and telephone number of the data controller.

● Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of the personal data, the provisions of the Personal Data Protection Act (LEPD), and the Constitution. In this regard, processing may only be carried out by persons authorized by the Data Subject and/or by the persons provided for in the Law. Personal data, except for public information, may not be made available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to Data Subjects or authorized third parties.

● Security principle: Information processed by MuchoSur must be protected through the use of technical, human, and administrative measures necessary to ensure the security of records, preventing tampering, loss, unauthorized or fraudulent access, or consultation. The Data Controller is responsible for implementing the corresponding security measures and informing all personnel with direct or indirect access to the data. Users accessing the Data Controller's information systems must be aware of and comply with the security rules and measures relevant to their duties. These rules and security measures are set forth in PL-02 Internal Security Policies, which are mandatory for all users and company personnel. Any modification to the rules and measures regarding personal data security by the Data Controller must be made known to users.

● Confidentiality principle: All persons involved in the processing of Personal Data are required to guarantee the confidentiality of the information, even after their relationship with any of the tasks involved in the processing has ended. They may only provide or communicate personal data when this corresponds to the development of the activities authorized in the LEPD and under the terms thereof.


4. PROCESSING OF MINORS' DATA

MuchoSur, in accordance with Article 7 of Law 1581 of 2012, processes the personal data of children and adolescents within the framework of the criteria set forth in Article 2.2.2.25.2.9 Section 2 of Chapter 25 of Decree 1074 of 2015 (Article 12 of Decree 1377 of 2013), in compliance with the following parameters and requirements:

● That the use of data responds to and respects the best interests of children and adolescents.

● That the use of data ensures respect for the minor's fundamental rights.

Once the above requirements have been met, MuchoSur will request authorization from the child or adolescent's legal representative prior to exercising the minor's right to be heard. This opinion will be assessed taking into account the child's maturity, autonomy, and ability to understand the matter. As the Data Controller and/or Data Processor, MuchoSur will ensure the appropriate use of children's and adolescents' data, applying the principles and obligations established in Law 1581 of 2012 and regulatory standards. It will also identify sensitive data collected or stored in order to increase the security and processing of this information.


5. PURPOSES OF THE PROCESSING OF PERSONAL DATA

MuchoSur, in the course of its business activities, processes personal data relating to natural persons contained and processed in databases intended for legitimate purposes, in compliance with the Constitution and the Law. The processing of personal data includes collection, storage, use, circulation, or deletion. Data processing will be subject to the purposes authorized by the Data Controller, the contractual obligations between the parties, and any cases in which there are legal obligations that must be fulfilled.

Annex 1 PL-01, entitled Database Organization, contains information relating to the various databases under the company's responsibility and the purposes assigned to each of them for processing.


6. VALIDITY OF THE DATABASE

The personal data incorporated in the databases will be valid for the period necessary to fulfill the purposes for which their processing was authorized and the special rules that regulate the matter, the current rules related to the conservation period will also be taken into account.


7. AUTHORIZATION

In accordance with Article 9 of the Personal Data Protection Act (LEPD), the Data Subject's authorization is required for the processing of personal data, except in cases expressly indicated in the regulations governing the protection of personal data. Prior to and/or at the time of collecting personal data, MuchoSur will request the Data Subject's authorization to collect and process the data, indicating the purpose for which the data is requested. For these purposes, automated technical means, whether written or oral, will be used to preserve proof of authorization and/or the unequivocal conduct described in Article 2.2.2.25.2.2, Section 2, Chapter 25 of Decree 1074 of 2015. The Data Subject's authorization will not be required in the following cases:

● The Personal Data is required by a public or administrative entity in the exercise of its legal functions or by court order

● Whether the data is of a public nature

● In the case of a medical or health emergency

● The processing of Personal Data is authorized by law for historical, statistical or scientific purposes

● It concerns data related to the civil registry of persons


8. FORM AND MECHANISMS FOR GRANTING AUTHORIZATION

The authorization of the data subject is included in each of the channels and mechanisms for collecting data from the v, which guarantee its subsequent consultation and the expression of the data subject's will through the following means:

● In writing.

● Orally.

● Through automated channels.

● Through unequivocal conduct by the owner that allows us to reasonably conclude that he or she granted the authorization.

And, in advance and/or at the time of collecting personal data, the Data Subject will be informed clearly and expressly of the following:

● The processing to which your personal data will be subjected and its purpose;

● The optional nature of the response to questions asked when these relate to sensitive data or the data of girls, boys and adolescents;

● The rights that you have as the Owner;

● The identification, physical or electronic address and telephone number of MuchoSur.


9. RIGHTS OF INFORMATION OWNERS

In accordance with the provisions of article 8 of Law 1581 of 2012, article 2.2.2.25.4.1 section 4 chapter 25 of Decree 1074 of 2015 (Articles 21 and 22 of Decree 1377 of 2013), Data Subjects may exercise a series of rights in relation to the processing of their personal data. The Personal Data Subject has the following rights:

● To know, update, and rectify your Personal Data before the Data Controllers or Data Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data, or data whose processing is expressly prohibited or has not been authorized.

● Request proof of the Authorization granted to the Data Controller, except when it is expressly exempted as a requirement for processing, in accordance with the provisions of Article 10 of Law 1581 of 2012

● Be informed by the Data Controller or the Data Processor upon request, regarding the use that has been given to your personal data

● Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012, and other regulations that modify, add to or complement it.

● Revoke the Authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights, and guarantees. The revocation and/or deletion will proceed when the Superintendency of Industry and Commerce has determined that in the processing the Controller has engaged in conduct contrary to the law or the Constitution.

● Access your Personal Data that has been processed free of charge. Personal Data Processing Policy. These rights may be exercised by the following persons:

By the Data Subject, who must sufficiently prove his or her identity through the various means made available to him or her by the Controller.

By their successors in title, who must prove such status.

By the representative and/or attorney of the Owner, upon prior accreditation of the representation or power of attorney.

By stipulation in favor of another and for another.

The rights of children or adolescents will be exercised by the persons who are authorized to represent them.

Right of access or consultation

This is the Data Subject's right to be informed by the data controller, upon request, regarding the origin, use, and purpose of their personal data.

● Rights to complaints and claims

The Law distinguishes four types of claims:

Correction request: the Data Subject's right to have partial, inaccurate, incomplete, fragmented, misleading data updated, corrected, or modified, or to have data whose processing is expressly prohibited or unauthorized.

Deletion request: the Data Subject's right to have data deleted if it is inadequate, excessive, or does not respect constitutional and legal principles, rights, and guarantees.

Revocation request: the Data Subject's right to revoke the authorization previously granted for the processing of his or her personal data.

Infringement claim: the Data Subject's right to request that a breach of data protection regulations be remedied.

● Right to request proof of the authorization granted to the Data Controller

Except when expressly exempted as a requirement for processing in accordance with the provisions of Article 10 of the LEPD.

● Right to file complaints for violations with the Superintendency of Industry and Commerce

The Data Subject or legal successor may only submit a request (complaint) to the SIC – Superintendency of Industry and Commerce once they have completed the consultation or claim process with the Data Controller or Data Processor.


10. MUCHOSUR'S DUTIES REGARDING THE PROCESSING OF PERSONAL DATA

MuchoSur will always bear in mind that Personal Data belongs to the individuals to whom it refers and that only they have the power to make decisions regarding it. Therefore, it will use it only for those purposes for which it is duly authorized, and in compliance with Law 1581 of 2012 on the protection of personal data.

In accordance with the provisions of Article 17 of Law 1581 of 2012, MuchoSur undertakes to permanently comply with the following obligations:

● Guarantee the Holder, at all times, the full and effective exercise of habeas data

● Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

● Request and keep, under the conditions provided by law, a copy of the respective Authorization granted by the owner

● Process queries and complaints made by the Owners in the terms indicated in article 14 of Law 1581 of 2012

● Inform the Data Subject, upon request, about the use of their data; In relation to the Data Controller:

Ensure that the information provided to the Data Processor is true, complete, accurate, up-to-date, verifiable and understandable;

Update the information, promptly communicating to the Data Processor all new developments regarding the data previously provided and adopting other necessary measures to ensure that the information provided to the Data Processor remains up-to-date;

Rectify information when it is incorrect and communicate the relevant information to the Data Processor;

Inform the Data Processor when certain information is being disputed by the Data Subject, once the claim has been submitted and the respective process has not been completed;

Provide the Data Processor, as the case may be, only with data whose processing has been previously authorized in accordance with the provisions of this law;

Demand that the Data Processor respect the security and privacy conditions of the Data Subject's information at all times;

Regarding principles and other obligations:

Observe the principles of legality, purpose, freedom, quality, truthfulness, transparency, restricted access and circulation, security and confidentiality

Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, for handling queries and complaints;

Inform the data protection authority when security code violations occur and when there are risks in the management of Data Subjects' information.

Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.


10.1 DUTIES AS DATA CONTROLLER

MuchoSur, as Data Processor, shall comply with the following duties, without prejudice to the other provisions set forth in this law and in other laws governing its activity:

● Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data;

● Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;

● Promptly update, rectify or delete data in accordance with this law;

● Update the information reported by the Data Controllers within five (5) business days from receipt;

● Process queries and complaints made by the Owners in the terms indicated in this law;

● Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, to address queries and complaints from Owners;

● Register the legend “claim in process” in the database in the manner regulated by this law;

● Insert the legend “information under judicial discussion” into the database once notified by the competent authority about judicial proceedings related to the quality of personal data;

● Refrain from circulating information that is being disputed by the Owner and whose blocking has been ordered by the Superintendency of Industry and Commerce;

● Allow access to information only to people who can access it;

● Inform the Superintendency of Industry and Commerce when security code violations occur and there are risks in the management of the Holders' information;

● Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.


10.2 ATTENTION TO DATA OWNERS

To address requests, inquiries, and complaints regarding personal data protection, MuchoSur has appointed a Data Protection Officer. Data subjects may submit their requests or inquiries through the following channels:

Email: notificaciones.judiciales@sht.com.co Address: CR 13 26 30, BOGOTÁ DC - BOGOTÁ DC Phones: 3820300 - 3160235242


10.3 PROCEDURES FOR EXERCISING THE RIGHTS OF THE HOLDER RIGHT OF ACCESS

MuchoSur will guarantee the Holder free consultation of his personal data in the following cases (Article 2.2.2.25.4.2. section 4 chapter 25 of Decree 1074 of 2015):

At least once every calendar month.

Whenever there are substantial modifications to information processing policies that motivate new inquiries.

For inquiries with a frequency greater than once per calendar month, MuchoSur may charge the Owner for shipping, reproduction, and, where applicable, certification of documents. Reproduction costs may not exceed the costs of recovering the corresponding material. To this end, MuchoSur will provide proof of such expenses to the Superintendency of Industry and Commerce, upon request.

The Data Owner may exercise the right of access or consultation of his/her data by means of a written request addressed to MuchoSur, sent by email to: notificaciones.judiciales@sht.com.co, indicating in the Subject “Exercise of the right of access or consultation”, or by postal mail sent to CR 13 26 30, BOGOTÁ DC - BOGOTÁ DC. The request must contain the following information:

Name and surname of the Holder.

Photocopy of the Citizenship Card of the Holder and, where applicable, of the person representing him/her, as well as the document proving such representation.

Petition in which the request for access or consultation is specified.

Address for notifications, date and signature of the applicant.

Documents supporting the request, where applicable. The Data Subject may choose one of the following methods to access the database to receive the requested information:

On-screen display.

In writing, with a copy or photocopy sent by certified mail or not.

Email or other electronic means.

Another system suitable for the configuration of the database or the nature of the treatment, offered by MuchoSur

Once the request has been received, MuchoSur will resolve the consultation request within a maximum period of ten (10) business days from the date of receipt. When it is not possible to address the query within this period, the interested party will be informed, stating the reasons for the delay and indicating the date on which their query will be addressed, which in no case may exceed five (5) business days following the expiration of the first term. These deadlines are established in Article 14 of the LEPD.

Once the consultation process has been completed, the Owner or beneficiary may file a complaint with the Superintendency of Industry and Commerce.


11. CLAIMS

Data subjects may exercise their right to file a claim regarding their data by writing to MuchoSur, either by email to notificaciones.judiciales@sht.com.co, indicating "Exercise of the right of access or consultation" in the subject line, or by post to CR 13 26 30, BOGOTÁ DC - BOGOTÁ DC. The request must contain the following information:

Name and surname of the Holder.

Photocopy of the Citizenship Card of the Holder and, where applicable, of the person representing him/her, as well as the document proving such representation.

Description of the facts and request specifying the application for correction, deletion, revocation or inflation.

Address for notifications, date and signature of the applicant.

Documents supporting the request made that you wish to assert, where applicable.

If the claim is incomplete, the interested party will be required within five (5) days of receipt to correct the deficiencies. After two (2) months from the date of the request, if the applicant does not submit the required information, it will be understood that the claim has been withdrawn.

Once the complete claim has been received, a legend stating "claim in process" and the reason for the claim will be added to the database within a period of no more than two (2) business days. This legend must remain in effect until the claim is decided.

MuchoSur will resolve the claim request within a maximum period of fifteen (15) business days from the date of receipt. When it is not possible to address the claim within this period, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

Once the claim process has been exhausted, the Holder or beneficiary may file a complaint with the Superintendency of Industry and Commerce.


11.1 AUTHORIZED TO RECEIVE INFORMATION

MuchoSur will provide the information of the owners of its databases to the following persons authorized or empowered to receive it, in accordance with Article 13 of Law 1581 of 2012:

To the Holders, their successors in title or their legal representatives;

To public or administrative entities in the exercise of their legal functions or by court order;

To third parties authorized by the Owner or by law.


11.2 VERIFICATION OF THE AUTHORITY TO REQUEST OR RECEIVE INFORMATION

To process a request for consultation or complaint, the applicant must provide the following documents to prove ownership or the authority to receive the requested information, in accordance with the following cases:

Holder: Copy of the identity document.

Legal successor: Identity document, civil registry of death of the Holder, document proving the capacity in which he/she acts and a copy of the Holder's identity document.

Legal representative and/or attorney: Valid identity document, document proving the capacity in which he/she acts (Power of Attorney) and a copy of the Owner's identity document.


12. DATA PROCESSING IN VIDEO SURVEILLANCE SYSTEMS

MuchoSur will inform people about the existence of video surveillance mechanisms by posting visible notices within the reach of all data subjects and installing them in video surveillance areas, primarily at the entrances to and within the premises being monitored and supervised. These notices will include information about the Data Controller, the purposes of the processing, the Data Subject's rights, the channels available to exercise the Data Subject's rights, and the location of the Data Processing Policy.

On the other hand, it will retain the images only for the time strictly necessary to fulfill the purpose of the and will register the database that stores the images in the National Registry of Databases, unless the Processing consists only of the reproduction or broadcast of images in real time.

Access to and disclosure of images will be restricted to individuals authorized by the Data Controller and/or at the request of an authority acting in the exercise of its functions. Consequently, the disclosure of the information collected will be controlled and consistent with the purpose established by the Data Controller.


13. SECURITY MEASURES

In order to comply with the security principle enshrined in Article 4, paragraph g) of the LEPD (Legal Protection Act), MuchoSur has implemented the necessary technical, human, and administrative measures to guarantee the security of records, preventing their alteration, loss, unauthorized or fraudulent access, use, or consultation.

Furthermore, MuchoSur, by signing the corresponding data transfer contracts, has required the data processors with whom it works to implement the necessary security measures to guarantee the security and confidentiality of the information when processing personal data.

Below are the security measures implemented by MuchoSur, which are collected and developed in its PL-02 Internal Security Policies (Tables I, II, III and IV).

TABLE I: Common security measures for all types of data (public, private, confidential, reserved) and databases (automated, non-automated)

Document and media management

1. Measures to prevent unauthorized access to or recovery of data that has been discarded, deleted, or destroyed.

2. Restricted access to the location where the data is stored.

3. Authorization of the person responsible for managing the databases for the output of documents or media by physical or electronic means.

4. Labeling or identification system of the type of information.

5. Inventory of supports.

6. User access limited to the data necessary for the performance of their functions.

Access control

1. Updated list of authorized users and accesses.

2. Mechanisms to prevent access to data with rights other than those authorized.

3. Granting, alteration or cancellation of permits by authorized personnel

TABLE I: Common security measures for all types of data (public, private, confidential, reserved) and databases (automated, non-automated)

Incidents

1. Incident log: type of incident, time of occurrence, notification issuer, notification recipient, effects and corrective measures.

2. Procedure for reporting and managing incidents.

Staff

1. Definition of the functions and obligations of users with access to the data.

2. Definition of the control functions and authorizations delegated by the data controller.

3. Dissemination among staff of the rules and the consequences of non-compliance.

Internal Security Manual

1. Preparation and implementation of the mandatory manual for staff.

2. Minimum content: scope of application, security measures and procedures, functions and obligations of staff, description of databases, incident procedure, identification of data processors.

Non-automated databases

Archive

1. Archiving of documentation following procedures that guarantee correct conservation, location and consultation, which allow the exercise of the rights of the Holders.

Document storage

2. Storage devices with mechanisms that prevent access by unauthorized persons.

Document custody

3. Duty of diligence and custody of the person in charge of documents during their review or processing.

Automated databases

Identification and authentication

1. Personalized user identification to access information systems and verification of their authorization.

2. Identification and authentication mechanisms; Passwords: assignment and expiration.

Telecommunications

1. Access to data through secure networks.

TABLE III: Security measures for private data according to the type of databases

Non-automated databases

Audit

1. Ordinary audit (internal or external) every two months.

2. Extraordinary audit due to substantial modifications in information systems.

3. Report on the detection of deficiencies and proposal for corrections.

4. Analysis and conclusions of the security officer and the data controller.

Security Officer

1. Appointment of one or more Database Administrators.

2. Designation of one or more persons in charge of controlling and coordinating the measures in the Internal Security Manual.

3. Prohibition of delegation of the Data Controller's responsibility to the Database Administrators.

Internal Security Manual

1. Periodic compliance controls.

Automated databases Document and media management

1. Record of incoming and outgoing documents and media: date, sender and receiver, number, type of information, method of delivery, person responsible for receipt or delivery. Access control

2. Access control to the place or places where the information systems are located.

Identification and authentication

1. Mechanism that limits the number of repeated unauthorized access attempts.

2. Data encryption mechanisms for transmission.

Incidents

1. Record of data recovery procedures, person performing them, data restored and data manually recorded.

2. Authorization of the data controller for the execution of recovery procedures.

TABLE IV: Security measures for sensitive data according to the type of databases

Non-automated databases

Access control

1. Access for authorized personnel only.

2. Access identification mechanism.

3. Log of access by unauthorized users.

4. Destruction that prevents access to or recovery of data.

Document storage

1. Filing cabinets, cupboards or other items located in access areas protected with keys or other measures.

2. Measures that prevent access to or manipulation of physically stored documents.

Automated databases

Access control

1. Confidential labeling system.

Identification and authentication

1. Data encryption mechanisms for transmission and storage.

Document storage

1. Access log: user, time, database accessed, type of access, record accessed

2. Access log control by the security officer. Monthly report.

Telecommunications

1. Access and transmission of data through secure electronic networks.

2. Data transmission through encrypted networks (VPN).


14. COOKIES OR WEB BUGS

MuchoSur may collect personal information from its Users while they use the Website, Application, or Linked Pages (Landing Pages). Users may choose to have this personal information stored on the Website, Application, or Linked Portal (Landing Page) in order to facilitate transactions and services provided by MuchoSur and/or its Linked Portals (Landing Pages). Therefore, MuchoSur uses various tracking and data collection technologies, such as its own and third-party cookies. This is an analytics tool that helps website and application owners understand how visitors interact with their properties. This tool may use a set of cookies to collect information and provide website usage statistics without personally identifying visitors to Google. This information allows us to understand your browsing patterns and offer you personalized services. MuchoSur may use these technologies to authenticate you, remember your preferences for using the website, application, and linked pages (landing pages), present offers that may be of interest to you and facilitate transactions, analyze the use of the website, application, or linked pages and their services, use it in the aggregate or combine it with personal information we have, and share it with authorized entities.

If a user does not want their personal information collected through cookies, they can change the settings in their web browser. However, it is important to note that if a web browser does not accept cookies, some of the website, application, and/or linked pages (landing pages) may not be available or function properly. You can allow, block, or delete cookies installed on your device by configuring the browser options installed on your device, as follows:

Chrome

Microsoft Edge

Firefox

Safari


15. PROCEDURE FOR NOTIFICATION, MANAGEMENT AND RESPONSE TO INCIDENTS

MuchoSur establishes a procedure for reporting, managing, and responding to incidents to ensure the confidentiality, availability, and integrity of the information contained in the databases under its responsibility.

Users and those responsible for procedures, as well as anyone involved in the storage, processing, or consultation of the databases included in this document, must be familiar with the procedure for responding to an incident.

The procedure for reporting, managing and responding to incidents is as follows:

● When a person becomes aware of an incident (loss, theft and/or unauthorized access) that affects or may affect the confidentiality, availability and integrity of the protected information of the company or any of the Managers, they must immediately notify the Data Protection Officer, Email: notificaciones.judiciales@sht.com.co, describing in detail the type of incident that occurred, and indicating the people who may have been related to the incident, the date and time it occurred, the person who notified the incident, the person to whom it was communicated and the effects it has produced.

● Once the incident has been reported, you must request an acknowledgment of receipt from the Data Protection Officer, which includes notification of the incident with all the requirements listed above.

● MuchoSur creates an incident log that must contain: the type of incident (internal or external fraud, damage to physical assets, technological failures, process execution and administration), date and time of the incident, the person reporting it, the person to whom it was reported, the effects of the incident, and corrective measures, where applicable. This log is managed by the Data Protection Officer; refer to FR-08 Security Incident Log.

● Likewise, you must implement procedures for data recovery when applicable, indicating who performed the process, the data restored, and, where applicable, the data that required manual recording during the recovery process.

● Additionally, the Data Protection Officer must inform the Superintendency of Industry and Commerce, through the RNBD, within 15 business days of being detected.

● Finally, MuchoSur will notify the Holders of the incident when it is identified that they may be significantly affected.


16. MANAGEMENT OF RISKS ASSOCIATED WITH DATA PROCESSING

MuchoSur has identified risks related to the processing of personal data and established controls to mitigate their causes through the implementation of PL-02 Internal Security Policies. Therefore, it will establish a risk management system along with the tools, indicators, and resources necessary for its administration when the organizational structure, internal processes and procedures, the amount of databases, and the types of personal data processed by the organization are considered exposed to frequent or high-impact events or situations that impact the proper provision of services or threaten the information of data subjects.

The risk management system will determine the sources, such as technology, human resources, infrastructure, and processes, that require protection, their vulnerabilities, and threats, in order to assess their level of risk. Therefore, to ensure the protection of personal data, the type or group of internal and external individuals and the different levels of access authorization will be taken into account. Likewise, the possibility of any type of event or action that could cause damage (material or immaterial) will be monitored, such as:

● Criminality: Understood as actions, caused by human intervention, that violate the law and are penalized by it.

● Events of physical origin: Understood as natural and technical events, as well as events indirectly caused by human intervention.

● Negligence and institutional decisions: These are understood as the actions, decisions, or omissions by people who have power and influence over the system. At the same time, these are the least predictable threats because they are directly related to human behavior.

● MuchoSur will implement protective measures in its risk management program to prevent or minimize damage should a threat materialize.


17. PROVISION OF PERSONAL DATA TO THE AUTHORITIES

When a public or administrative entity, in the exercise of its legal functions or by court order, requests MuchoSur access to and/or the provision of personal data contained in any of its databases, the legality of the request and the relevance of the requested data to the purpose stated by the authority will be verified. For the provision, a document will be signed indicating the details of the requesting entity and the characteristics of the personal information requested, specifying the obligation to guarantee the rights of the Data Subject, both to the official making the request, to the person receiving it, and to the requesting entity.


18. INTERNATIONAL TRANSFER AND TRANSMISSION OF PERSONAL DATA

MuchoSur will transfer personal data to countries that provide adequate levels of data protection. A country is deemed to offer an adequate level of data protection when it meets the standards set by the Superintendency of Industry and Commerce on the matter, which in no case may be lower than those required by Law 1581 of 2012 for its recipients. This prohibition will not apply in the case of:

● Information for which the Data Subject has given his or her express and unequivocal authorization for transfer.

● Exchange of medical data when required by the Data Subject's treatment for reasons of health or public hygiene.

● Bank or stock transfers, in accordance with applicable legislation.

● Transfers agreed upon within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.

● Transfers necessary for the execution of a contract between the Data Controller and the data controller, or for the execution of pre-contractual measures, provided that the Data Controller's authorization is obtained.

● Transfers legally required to safeguard the public interest, or for the recognition, exercise, or defense of a right in a judicial process.

In cases where data transfer is necessary and the destination country is not on the list of countries considered safe harbors designated by the Superintendency of Industry and Commerce, a declaration of compliance regarding approval for the international transfer of personal data must be processed from the same entity.

International transfers of personal data between MuchoSur and a data processor to enable the processor to process the data on behalf of the controller do not require the data subject's notification or consent, provided that a personal data transfer agreement exists. This personal data transfer agreement must be signed between the controller and the data processor to define the scope of the processing of personal data under their control and responsibility, as well as the activities the processor will carry out on behalf of the controller and the data processor's obligations to the data subject. Additionally, the data processor must comply with the following obligations and apply the data protection regulations in force in Colombia.

● Process, on behalf of the Controller, personal data in accordance with the principles that protect them.

● Safeguard the security of databases containing personal data.

● Maintain confidentiality regarding the processing of personal data. The above conditions established for international data transmissions will also apply to domestic data transmissions.


19. PROCESSING OF BIOMETRIC DATA

Biometric data stored in databases is collected and processed strictly for security purposes, to verify personal identity and control access for employees, customers, and visitors. Biometric identification mechanisms capture, process, and store information related to, among other things, a person's physical characteristics (fingerprints, voice recognition, and facial features) in order to establish or "authenticate" each subject's identity.

The administration of biometric databases is carried out with technical security measures that guarantee compliance with the principles and obligations derived from the Statutory Law on Data Protection, while also ensuring the confidentiality and confidentiality of the data subjects' information.


20. NATIONAL DATABASE REGISTRY – RNBD

The deadline for registering databases with the RNBD shall be the one established by law. Furthermore, in accordance with Article 12 of Decree 886 of 2014, Data Controllers must register their databases in the National Database Registry on the date the Superintendency of Industry and Commerce enables said registry, in accordance with the instructions issued by that entity for this purpose. Databases created after this deadline must be registered within two (2) months from their creation.


21. INFORMATION SECURITY

Compliance with the regulatory framework for Personal Data Protection, as well as the security, confidentiality, and/or confidentiality of the information stored in databases, is of vital importance to MuchoSur. Therefore, we have established information security policies, guidelines, procedures, and standards, which may change at any time to adapt to new regulations and MuchoSur's needs. The objective is to protect and preserve the integrity, confidentiality, and availability of information and personal data.

We also guarantee that in the collection, storage, use, and/or processing, destruction, or deletion of the information provided, we rely on technological security tools and implement security practices that include: transmission and storage of sensitive information through secure mechanisms, use of secure protocols, securing technological components, restricting access to information to authorized personnel only, backing up information, and secure software development practices, among others.

In the event that it is necessary to provide information to a third party due to the existence of a contractual relationship, we sign a transmission contract to guarantee the confidentiality and reserve of the information, as well as compliance with this Data Processing Policy, the information security policies and manuals and the protocols for serving data subjects established in MuchoSur. In any case, we adopt commitments for the protection, care, security and preservation of the confidentiality, integrity and privacy of the stored data.


22. DOCUMENT MANAGEMENT

Documents containing personal data must be easily retrievable, which is why the location of each document, both physical and digital, must be documented. These storage routes must be inspected frequently. Their preservation must be guaranteed by defining the medium on which they will be stored and under what conditions they will be preserved, taking into account environmental conditions, storage locations, risks to which they are exposed, among others. The retention time for documents is determined based on legal requirements, if applicable. Otherwise, each organization defines it according to its needs. Likewise, their final disposition must be clear, identifying whether they are recycled, reused, preserved, digitized, among others. Documents related to the protection of personal data must be prepared by competent personnel or an entity. Likewise, the organization must be the one to review and approve all documents and record them in the document approval box.

To ensure they are easily traceable, documents must be coded and updated and modified by the responsible staff. This modification will be carried out whenever necessary. Document deletion must be justified in the history, which is located at the bottom of all documents.

Both physical and digital documents containing personal data must be protected from external or internal agents who may alter their content, following the guidelines described in the PL-02 Internal Security Policies Manual.

The distribution of documents containing personal data will be carried out by the data controller, who will document evidence of such distribution, specifying, among other things, the type of document and the identification of the person to whom the information was delivered.

A person responsible for ensuring the confidentiality of the data subjects' personal data must be designated. This person will safeguard the documents, guarantee their physical and digital protection, prevent alterations to the information, and ensure that documents leaving their custody are identified and easily traceable.

MuchoSur reserves the right to make modifications or updates to this Policy at any time to address legislative developments, internal policies, or new requirements for the provision or offering of its services or products.


23. VALIDITY

This Policy update will be effective from 2023-09-01. MuchoSur's databases will be processed for as long as is reasonable and necessary for the purpose for which the data is collected and in accordance with the authorization granted by the personal data subjects.