Data Protection

POLICIES FOR THE TREATMENT OF PERSONAL INFORMATION OF GUESTS, CLIENTS AND USERS:

FIRST: GENERAL

We have special interest in protecting and respecting your information and personal data and therefore we have designed these policies for the treatment of information, within the framework of the law 1581 of 2012 and the regulatory decree 1377 of 2013.

1.1.- Introduction.

The company Logística GHL SAS and affiliated companies, operators of hotels "a GHL experience" and responsible for the processing of information, may collect personal data of its users, guests or visitors, through the various means intended for access to the services provided by them. In any case, the collection will be made under the express authorization of the owner of the data and the treatment of these will be subject to the provisions of the law.

Translated with www.DeepL.com/Translator (free version) The personal information subject to the considerations set forth herein may be collected directly from the information provided and contained in the hotel registration card, through the website www.sonestacali.com, by visiting or purchasing services offered on the platform, or directly in the hotels linked or associated with GHL.

The considerations set forth herein shall be deemed accepted by the Owner of the Information, when subscribing the Hotel Registration Card with respect to the information contained therein, when visiting or using the website www.sonestacali.com and / or when entering data or personal information through the functions established for this purpose, regardless of the purpose.

1.2- General principles.

The collection and gathering of personal data, as well as the use, treatment, processing, exchange, transfer and transmission thereof, shall always be guided by principles of legality, freedom, truthfulness, transparency, security, confidentiality, principle of access and restricted circulation.

1.3- Legal definitions.

In accordance with Law 1581 of 2012 and Decree 1377 of 2013, the following definitions shall govern the policies for the treatment of personal information.

1.3.1.- Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of personal data. Database: Organized set of personal data that is subject to Processing; 1.3.3.3.- Personal Data: Any information linked or that may be associated to one or several determined or determinable natural persons; 1.3.4.- Data Processor: The Data Processor is the natural or legal person, public or private, who by himself or in association with others, carries out the Processing of personal data on behalf of the Data Controller; 1.3.5.- Data Controller: The Data Controller is the natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the Processing of the data; 1.3.6.- Sensitive Data: Sensitive data are understood as those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life, and biometric data. 1.3.7.- Public data: Data that is not semi-private, private or sensitive. Public data includes, among others, data related to the marital status of individuals, their profession or trade, and their status as merchants or public servants. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality. 1.3.8.- Data Subject: Natural person whose personal data is subject to Processing. 1.3.9.- Transfer: The transfer of data takes place when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is the Controller of the Processing and is located inside or outside the country. 1.3.10- Transmission: Processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when the purpose of the Processing is carried out by the Processor on behalf of the Controller. 1.3.11.- Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or suppression.

SECOND: AUTHORIZATION OF THE HOLDER:

The data provided will be subject to authorized treatment, granted in a prior, express and informed manner by the Holder of the same. By providing your data at the entrance of the hotel to fill out the Hotel Registration Card, you are authorizing the treatment in the terms and conditions set forth in this policy.

The visit, entry or use of the website www.sonestacali.com, constitutes in itself prior, express and informed authorization for the storage, collection and processing of information in accordance with the data processing policy contained herein.

In any case, the collection of data will be limited to those personal data that are relevant and appropriate for the purpose pursued.

THIRD: TREATMENT OF INFORMATION:

3.1- Data collected. The collection of data for the development of the Treatment and purposes pursued by it, will fall on the personal data received and stored on the occasion of the completion of the Hotel Registration Card, the information provided by our guests, customers, visitors and will include all the information provided or provided in the visit to the website www.sonestacali.com, as well as all that related to the services or reservations made, and accommodation and lodging data provided physically or virtually.

Notwithstanding the fact that in some cases it is public data, the information collected and object of treatment will be the information corresponding to the name, identification document number whether citizenship card, passport or any other valid, profession, nationality, date of birth, email address, preferences and personal interests, work or activity, consumption habits or travel habits. If a reservation is made through the website www.sonestacali.com, the information corresponding to the credit card provided for the purposes of the reservation and stay will be collected.

3.2- Treatment to which the data will be subjected and its purpose.

The data and information obtained will be used in the normal course of its business activities only for the purpose set forth in these policies of treatment of information, so as to create a direct and effective communication with the guest, customer or user, leading to establish a closer link and consolidate a business relationship.

The treatment consists of sending digital information through different means of communication, with the intention of contacting the owner to send service surveys after each stay that allow the qualification of the service provided, and communicate invitations, offers, promotions, portfolio of services or information from the Hotel or hotels "a GHL experience", without at any time their data are provided, transferred or delivered to persons other than those responsible or responsible for the processing of information. Additionally, by collecting data we seek to: make, process, process and / or complete reservations or purchase of hotel nights or other services; conduct internal studies on tourism habits; evaluate the quality of our services; send surveys and questionnaires regarding the services provided; timely respond to your requests, requests or needs; communicate invitations, offers, promotions, and information in general about the portfolio of services offered by natural or legal persons who are directly linked to the hotel operation and specifically with the services provided.

The authorization for the use of the information or data provided that are collected, collected or stored in accordance with these policies expressly includes the authorization for the data and information to be shared, processed, transmitted, transferred, updated and/or deleted for the purpose defined in these policies, to be used in the manner established. By accessing the website www.sonestacali.com you authorize your information and data to be shared with the tourism providers to whom they refer and before whom your reservations and/or requests are processed.

It is assumed that all information or data provided or deposited in the Hotel Registration Card or through the page www.sonestacali.com is true, accurate and complete, and may be withdrawn at any time in the event that it is considered harmful or detrimental to your interests or the interests of a third party.

The data and in general the information received when you enter the website www.sonestacali.com can be both yours and the equipment from which you are entering. In order to optimize and make your experience visiting the www.sonestacali.com website more efficient, cookies and/or web beacons may be used, and information may be obtained and stored on the Internet pages visited, your IP address, the operating system of the computer from which you are entering, through a process of recognition and tracking to identify your preferences and identify you when you visit the page again and store certain records, based on your IP address. The IP address is not associated or linked to your name or personal information.

3.3.- Sensitive data and data corresponding to children and adolescents.

In no event and under no circumstances will data considered as sensitive be treated, nor is data collection aimed at collecting sensitive information.

The collection of data corresponding to children and adolescents who are minors, and the respective authorization, must always be given through their legal representative, after the minor has exercised his or her right to be heard. The processing of data corresponding to children and adolescents must respond to and respect the best interests of children and adolescents, and their fundamental rights.

In the event that for any reason any question may lead to the answer being related to sensitive data or data of children and adolescents, the answer to such question shall be optional.

3.4.- Duties of the data controller.

Those responsible for the information, and/or those responsible for and in charge of the processing of personal data, are obliged to: a) Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data; b) Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Data Subject; c) Duly inform the Data Subject about the purpose of the collection and the rights granted by virtue of the authorization granted; d) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access; e) Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable; f) Update the information, communicating in a timely manner to the Data Processor, all developments regarding the data previously provided and take other necessary measures to ensure that the information provided to it is kept up to date; g) Rectify the information when it is incorrect and communicate the pertinent to the Data Processor; h) Provide the Data Processor, as the case may be, only data whose Processing is previously authorized in accordance with the provisions of this law; i) Require the Data Processor at all times to respect the security and privacy conditions of the Data Subject's information; j) Process the queries and claims formulated in the terms set forth in the law; k) Inform the Data Controller when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed; l) Inform the Data Subject upon request about the use given to his/her data; m) Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the Data Subject's information. n) Comply with the instructions and requirements given by the Superintendence of Industry and Commerce.

FOURTH: RIGHTS AND POWERS OF THE OWNER:

4.1.- Rights of the Holder. Once the authorization has been granted by the Data Subject for the corresponding processing, he/she has the right to: a) Know, update and rectify his/her personal data. This right may be exercised against partial, inaccurate, incomplete, fractioned, misleading data, or data whose Processing is expressly prohibited or has not been authorized; b) Request proof of the authorization granted, except when expressly exempted as a requirement for the Processing, in accordance with the provisions of Article 10 of Law 1581 of 2012; c) Be informed by the person responsible and/or in charge of the personal data, upon request, of the use that has been made of their personal data; d) File complaints before the Superintendence of Industry and Commerce for violations of the provisions of the law; e) Revoke the authorization and/or request the deletion of the data when the Processing does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce has determined that the Processing has incurred in conduct contrary to this law and the Constitution; f) Request, at any time to the responsible or in charge, the deletion of their personal data and/or revoke the authorization granted for the Processing of the same, by filing a claim, shall not proceed when the Holder has a legal or contractual duty to remain in the database. g) Access free of charge to their personal data that have been subject to Processing: (i) at least once every calendar month, and (ii) whenever there are substantial modifications to the Information Processing Policies that give rise to new queries. In case of requests whose periodicity is greater than one per calendar month, the responsible and/or in charge, may charge the Holder the costs of shipping, reproduction and, where appropriate, certification of documents.

4.2.- Legitimation for the exercise of the holder's rights.

The following persons are also entitled to exercise the rights of the owner of the information: a) The owner himself, who must prove his identity sufficiently by the means made available by the data controller; b). His assignees, who must prove their identity; c). The representative and/or attorney-in-fact of the Data Subject, prior accreditation of the representation or power of attorney; d). By stipulation in favor of or for another; e). The rights of children or adolescents shall be exercised by the persons empowered to represent them, prior accreditation of the power of representation.

4.3.- Procedure to exercise the rights to know, update, rectify or delete information and revoke authorization.

The procedures for access, updating, deletion and rectification of personal data, and revocation of authorization, may be advanced through inquiries or complaints, sent to the email calidad.sonestacali@ghlhoteles.com or to the address Calle 18 Norte No. 4N-08 Cali, Colombia, depending on the purpose they pursue, establishing at least, the legitimacy that you have to make the request and stating clearly and concretely, what is intended.

All requests, suggestions and recommendations related to the processing of information should be sent to the e-mail calidad.sonestacali@ghlhoteles.com, and will be answered within ten (10) working days of receipt at the latest.

The owner of the information or the person entitled to do so must attach to his letter proof of the capacity in which he is acting, and must provide the data and documents required to prove his identity and capacity.

The e-mail must specify the reason or purpose of the communication, and for this purpose it will be sufficient that the text indicates that the right to know, update, rectify, delete or revoke the authorization granted is being exercised.

4.4.- Procedure for the correction, updating or deletion of data and for the filing of complaints and claims.

Whoever is legitimized by law, and considers that the information contained therein should be subject to correction, updating or deletion; or when he/she considers that the treatment given to personal data violates legal standards, may submit, in accordance with Article 15 of Law 1581 of 2012, claims to the email calidad.sonestacali@ghlhoteles.com.

Complaints and claims shall be processed under the following rules:

4.4.1.- The claim shall be formulated by means of a request addressed to the Data Controller or the Data Processor, with the identification of the Data Subject, the description of the facts giving rise to the claim and the address, accompanying the documents to be asserted. If the claim is incomplete, the interested party will be required within five (5) business days following receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been withdrawn.

In the event that the person who receives the claim is not competent to resolve it, it will be transferred to the appropriate person within a maximum term of two (2) business days and the interested party will be informed of the situation.

4.4.2.- Once the complete claim has been received, a legend will be included in the database stating "claim in process" and the reason for the claim, within a term not exceeding two (2) business days. Said legend shall be maintained until the claim is decided.

4.4.3.- The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within such term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

4.5.- Inquiries and access to information.

Personal data queries will be answered by written request through the e-mail calidad.sonestacali@ghlhoteles.com.

Queries will be answered within a maximum period of ten (10) working days from the date of receipt. When it is not possible to answer the query within such term, the interested party will be informed before the expiration of ten (10) working days, stating the reasons for the delay and indicating the date on which the query will be answered, which in no case may exceed five (5) working days following the expiration of the first term.

FIFTH: SECURITY.

5.1.- Security in the handling of information.

The data collected will always be treated within a framework of confidentiality, so it will not be provided, transferred or given to persons other than or outside the persons responsible or in charge of the treatment.

5.2.- Transfer and transmission of data.

In the event that a contract is entered into with a third party professional and experienced in the management and use of databases, the data controller shall enter into a contract for the transfer of personal data referred to in Article 25 of Decree 1377 of 2013.

SIXTH: DISSEMINATION AND VALIDITY

6.1.- Means of dissemination of information processing policies and privacy notice.

This document, which establishes the policies for the treatment of information on personal data collected, will be permanently published on the link www.sonestacali.com so that it can be consulted by anyone interested.

At the time of requesting the Data Subject's express authorization for data processing, the specific purposes for which consent is obtained will be indicated and the Data Subject will be informed of the Processing Policy and his/her rights as a Data Subject.

6.2.- Entry into force of the information processing policies.

The collection, storage, use and circulation of personal data, in development of the considerations set forth herein, will be carried out and maintained as long as the needs and purposes established and proposed by the Processing remain in force. In the event that the purpose cannot be achieved by means of the Processing given to the personal data, they will be permanently deleted from the database.

This document comes into force on February 22, 2016.

6.3.- Procedure for Policy Modification Events.

In the event that modifications are made to the personal data processing policies set forth herein, they will be notified and communicated through this web page, prior to their entry into force.

6.4.- Incorporation of the conditions of use of the web page www.sonestacali.com

In accordance with the applicable regulations, the information treatment policy is an integral part of the terms and conditions of use of the website www.sonestacali.com.

6.5. - Responsible for the information.

The company LOGÍSTICA GHL SOCIEDAD POR ACCIONES SIMPLIFICADA, with NIT 90076001-06 is responsible and in charge of the processing of personal data. The companies will be responsible for the information and personal data collected. When the information has been received or collected by any of the aforementioned companies, with express authorization to be transferred, LOGÍSTICA GHL SOCIEDAD POR ACCIONES SIMPLIFICADA will be responsible for the processing.

Any communication may be addressed to Calle 18 Norte No. 4N-08, Cali, or by e-mail to calidad.sonestacali@ghlhoteles.com.

POLICIES FOR THE TREATMENT OF PERSONAL INFORMATION SUPPLIERS

FIRST: GENERAL

In the development of our business relationships, we have special interest in protecting and respecting your information and personal data and therefore we have designed these policies for the treatment of information, within the framework of the law 1581 of 2012 and the regulatory decree 1377 of 2013.

1.1.- Introduction.

The company Logística GHL SAS and affiliated companies, operators of hotels "a GHL experience" and responsible for the processing of information, may collect personal data from its suppliers, and in general who sell them goods or services, in the development of the business relationship to facilitate its implementation and seek the greatest possible efficiency. The collection will be made under the express authorization of the owner of the data and the treatment of these will be subject to the provisions of the law and this policy.

Personal information may be collected directly from suppliers or from the information contained in the certificate of existence and legal representation issued by the Chamber of Commerce, in the RUT, in contracts, quotations, proposals, invoices, purchase orders and in general in any document that corresponds to the business relationship.

It shall be understood that the Holder of the Information has accepted the terms and conditions of these policies when issuing the proposal or quotation and/or when signing the corresponding contract or equivalent document.

1.2- General principles.

1.3- Legal definitions.

In accordance with Law 1581 of 2012 and Decree 1377 of 2013, the following definitions shall govern the policies for the treatment of personal information.

1.3.1.- Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of personal data. Database: Organized set of personal data that is subject to Processing; 1.3.3.3.- Personal Data: Any information linked or that may be associated to one or several determined or determinable natural persons; 1.3.4.- Data Processor: The Data Processor is the natural or legal person, public or private, who by himself or in association with others, carries out the Processing of personal data on behalf of the Data Controller; 1.3.5.- Data Controller: The Data Controller is the natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the Processing of the data; 1.3.6.- Sensitive data: Sensitive data are understood as those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life, and biometric data. Public data: Data that is not semi-private, private or sensitive. Public data includes, among others, data relating to the civil status of individuals, their profession or trade, and their status as merchants or public servants. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins and duly executed court rulings that are not subject to confidentiality. 1.3.8.- Data Subject: Natural person whose personal data are subject to Processing. 1.3.9- Transfer: The transfer of data takes place when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is the Controller of the Processing and is located inside or outside the country. 1.3.10- Transmission: Processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when the purpose of the Processing is carried out by the Processor on behalf of the Controller. 1.3.11.- Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or suppression.

SECOND: AUTHORIZATION OF THE HOLDER:

The data provided will be subject to authorized treatment, granted in a prior, express and informed manner by the Holder of the same. By providing your data for the conclusion of the legal business corresponding to the purchase of goods or services, you are authorizing the treatment under the terms and conditions set forth in this policy.

In any case, data collection will be limited to those personal data that are relevant and appropriate for the purpose pursued.

THIRD: TREATMENT OF THE INFORMATION:

3.1- Data collected. The collection of data for the development of the Treatment and purposes pursued by it, will fall on the personal data received in development or execution of the business relationship between the parties and specifically those received in respect of the purchase of goods or services.

Notwithstanding that in some cases it is public data, the information collected and object of treatment will be the name, identification number (NIT, citizenship card, passport) contact details such as telephone, physical address, email address, the information contained in the RUT, type of goods or services offered, category in which it is located, economic activity, commercial and personal references, bank references, bank account numbers for payments, category in which it is located, economic activity, commercial and personal references, bank references, bank account numbers for payments, and all the information that is necessary to comply with the contractually assumed obligations, with the legal obligations and with the correct execution and development of the commercial relationship between the parties.

3.2- Treatment to which the data will be subjected and purpose thereof.

The data and information obtained will be used in the normal course of its business activities only for the purpose set forth in these policies of treatment of information, so that the business relationship and as such the acquisition of food and goods and the provision of services that are contracted is properly executed and developed.

The treatment that will be given to the data consists of the handling and disposition of the data to have the information that allows the administrative and accounting management of the suppliers; the control over the state of payments, balances, discounts; the management of the inventory of the acquired goods; the attention and compliance of the fiscal, tax, legal requirements and of any other nature with entities of the national, district or municipal government; the categorization and classification of the supplier according to the goods or services offered, price, quality; to support internal or external auditing processes.

The authorization for the use of the information or data provided that is collected, gathered or stored in accordance with the present policies expressly includes the authorization for the data and information to be shared, processed, transmitted, transferred, updated and/or deleted for the purpose defined in the present policies, to be used in the manner established.

3.3.- Sensitive data and data corresponding to children and adolescents.

In no event and under no circumstances shall data considered as sensitive or data corresponding to children and adolescents be processed. The collection of data from suppliers is not oriented to collect sensitive information or information of children or adolescents.

3.4.- Duties of the data controller.

FOURTH: RIGHTS AND POWERS OF THE OWNER:

4.2.- Legitimation for the exercise of the holder's rights.

4.3.- Procedure to exercise the rights to know, update, rectify or delete information and revoke authorization.

All requests, suggestions and recommendations related to the treatment of information should be sent to the e-mail calidad.sonestacali@ghlhoteles.com and will be answered within ten (10) working days of receipt at the latest.

The owner of the information or the authorized person must attach to his letter proof of the capacity in which he is acting, and must provide the data and documents required to prove his identity and capacity.

4.4.- Procedure for the correction, updating or deletion of data and for the filing of complaints and claims.

Whoever is legitimized by law, and considers that the information contained therein should be subject to correction, updating or deletion; or when he/she considers that the treatment given to personal data violates legal standards, may submit, in accordance with Article 15 of Law 1581 of 2012, complaints to the email calidad.sonestacali@ghlhoteles.com.

Complaints and claims will be processed under the following rules:

4.4.1.- The claim shall be formulated by means of a request addressed to the Data Controller or the Data Processor, with the identification of the Data Subject, the description of the facts that give rise to the claim and the address, accompanied by the documents to be asserted. If the claim is incomplete, the interested party will be required within five (5) business days following receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been withdrawn.

4.4.3.- The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within such term, the interested party shall be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

4.5.- Consultation and access to information.

Queries regarding personal data contained in the database will be answered by written request through the e-mail calidad.sonestacali@ghlhoteles.com.

Queries will be answered within a maximum term of ten (10) working days from the date of receipt. When it is not possible to answer the query within such term, the interested party will be informed before the expiration of ten (10) working days, stating the reasons for the delay and indicating the date on which the query will be answered, which in no case may exceed five (5) working days following the expiration of the first term.

FIFTH: SECURITY.

5.1.- Security in the handling of information.

The data collected will always be treated within a framework of confidentiality and therefore will not be provided, transferred or given to persons other than those responsible for or in charge of the processing.

5.2.- Transfer and transmission of data.

SIXTH: DISSEMINATION AND VALIDITY:

6.1.- Means of dissemination of information processing policies and privacy notice.

This document, which establishes the policies for the processing of information on personal data collected will be permanently published on the link www.sonestacali.com so that it can be consulted by whoever is interested.

At the time of requesting the express authorization of the Data Subject for the processing of data, the specific purposes for which consent is obtained will be indicated and the Data Subject will be informed of the Processing Policy and his or her rights as a Data Subject.

6.2.- Entry into force of the information processing policies.

This document comes into force on February 22, 2016.

6.3.- Procedure for policy modification events.

En el evento en que se realicen modificaciones a las políticas de tratamiento de datos personales acá consagradas, se notificarán y comunicarán a través de esta misma página web, con anterioridad a la entrada en vigencia de las mismas.

6.4.- Incorporation of the conditions of use of the web page www.sonestacali.com.

In accordance with the applicable regulations, the information treatment policy is an integral part of the terms and conditions of use of the website www.sonestacali.com.

6.5. - Responsible for the information.

Any communication may be addressed to Calle 18 Norte No. 4N-08, Cali, or by e-mail to calidad.sonestacali@ghlhoteles.com.

POLICIES FOR THE TREATMENT OF PERSONAL INFORMATION OF EMPLOYEES, OFFICERS AND COLLABORATORS

FIRST: GENERAL

In developing our business relationships, we have special interest in protecting and respecting your information and personal data and therefore we have designed these policies for the treatment of information, within the framework of the law 1581 of 2012 and the regulatory decree 1377 of 2013.

1.1.- ntroduction.

The company Logística GHL SAS and affiliated companies operating hotels "a GHL experience" and responsible for the processing of information, may collect personal data of its employees, officers and / or collaborators, regardless of the link and contractual nature. The collection will be made under the express authorization of the owner of the data and the treatment of these will be subject to the provisions of the law and this policy.

Personal information will be collected directly from employees, officers and/or collaborators and will be related to the activity they perform.

1.2- General principles.

1.3- Legal definitions.

In accordance with Law 1581 of 2012 and Decree 1377 of 2013, the following definitions shall govern the policies for the treatment of personal information.

1.3.1.- Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of personal data. Database: Organized set of personal data that is subject to Processing; 1.3.3.3.- Personal Data: Any information linked or that may be associated to one or several determined or determinable natural persons; 1.3.4.- Data Processor: The Data Processor is the natural or legal person, public or private, who by himself or in association with others, carries out the Processing of personal data on behalf of the Data Controller; 1.3.5.- Data Controller: The Data Controller is the natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the Processing of the data; 1.3.6.- Sensitive data: Sensitive data are understood as those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sex life, and biometric data. 1.3.7.- Public data: Data that is not semi-private, private or sensitive. Public data includes, among others, data related to the marital status of individuals, their profession or trade, and their status as merchants or public servants. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins and duly executed court rulings that are not subject to confidentiality. 1.3.8.- Data Subject: Natural person whose personal data are subject to Processing. 1.3.9- Transfer: The transfer of data takes place when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is the Controller of the Processing and is located inside or outside the country. 1.3.10- Transmission: Processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when the purpose of the Processing is carried out by the Processor on behalf of the Controller.

1.3.11.- Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or suppression.

SECOND: AUTHORIZATION OF THE OWNER:

The data provided shall be subject to authorized processing, granted in a prior, express and informed manner by the Data Owner. In any case, data collection will be limited to those personal data that are relevant and adequate for the purpose pursued.

THIRD: TREATMENT OF THE INFORMATION:

3.1- Data collected. The collection of data for the development of the Treatment and purposes pursued by it, will fall on the personal data received in the development or execution of the relationship between the parties.

Notwithstanding the fact that in some cases it is public data, the information collected and object of treatment will be that corresponding to the information provided in the resume, name, citizenship card or passport number, academic experience, professional experience, information related to the execution of the contractual relationship, that corresponding to the management of salary payments, remuneration fees, social security as appropriate, and that corresponding to basic health data such as HR or allergies in cases where such information is provided.

3.2- Treatment to which the data will be submitted and its purpose.

The data and information obtained will be used only for the purpose established in these policies for the treatment of information.

The treatment that will be given to the data consists of the handling and disposition of the data to have the information that allows to advance the activities, processes and procedures of human talent; to establish the payment status of payroll; fees or any other remuneration, as the case may be; to manage the information corresponding to social security and family compensation funds; to meet the information requirements of government entities and comply with legal reporting obligations in fiscal, tax and any other nature; to support internal or external auditing processes; to maintain efficient communication with employees, officers or collaborators; to manage and report changes that may occur in the development of the contractual relationship; to conduct internal studies on habits; to allow employees access to computer resources.

3.3.- Sensitive data and data corresponding to children and adolescents.

In no event and under no circumstances shall data considered as sensitive or data corresponding to children or adolescents be processed. The collection of data from employees, officers or collaborators is not oriented to collect sensitive information or information of children or adolescents.

3.4.- Duties of the data controller.

FOURTH: RIGHTS AND POWERS OF THE OWNER:

4.1.- Rights of the Holder. Once the authorization has been granted by the Holder for the corresponding processing, he/she has the right to: a) Know, update and rectify his/her personal data. This right may be exercised against partial, inaccurate, incomplete, fractioned, misleading data, or data whose Processing is expressly prohibited or has not been authorized; b) Request proof of the authorization granted, except when expressly exempted as a requirement for the Processing, in accordance with the provisions of Article 10 of Law 1581 of 2012; c) Be informed by the person responsible and/or in charge of the personal data, upon request, of the use that has been made of their personal data; d) File complaints before the Superintendence of Industry and Commerce for violations of the provisions of the law; e) Revoke the authorization and/or request the deletion of the data when the Processing does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce has determined that the Processing has incurred in conduct contrary to this law and the Constitution; f) Request, at any time to the responsible or in charge, the deletion of their personal data and/or revoke the authorization granted for the Processing of the same, by filing a claim, shall not proceed when the Holder has a legal or contractual duty to remain in the database. g) Access free of charge to their personal data that have been subject to Processing: (i) at least once every calendar month, and (ii) whenever there are substantial modifications to the Information Processing Policies that give rise to new queries. In case of requests whose periodicity is greater than one per calendar month, the responsible and/or in charge, may charge the Holder the costs of shipping, reproduction and, where appropriate, certification of documents.

4.2.- Legitimation for the exercise of the holder's rights.

4.3.- Procedure to exercise the rights to know, update, rectify or delete information and revoke authorization.

The procedures for access, updating, deletion and rectification of personal data, and revocation of authorization, may be advanced through inquiries or complaints, sent to the email calidad.sonestacali@ghlhoteles.com or to the address Calle 18 Norte No. 4N-08 Cali, Colombia. depending on the purpose they pursue, establishing at least, the legitimacy that you have to make the request and stating clearly and concretely, what is intended.

All requests, suggestions and recommendations related to the treatment of information should be sent to the e-mail calidad.sonestacali@ghlhoteles.com, and will be answered within ten (10) working days of receipt at the latest.

4.4.- Procedure for the correction, updating or deletion of data and for the submission of complaints and claims.

Quien esté legitimado por la ley, y considere que la información contenida debe ser objeto de corrección, actualización o supresión; o cuando considere que el tratamiento dado a los datos personales infringe normas legales, podrá presentar, en concordancia con el artículo 15 de la Ley 1581 de 2012, reclamos al correo electrónico calidad.sonestacali@ghlhoteles.com.

Las quejas y reclamos serán tramitados bajo las siguientes reglas:

4.4.1.- The claim shall be formulated by means of a request addressed to the Data Controller or the Data Processor, with the identification of the Data Subject, the description of the facts that give rise to the claim and the address, accompanied by the documents to be asserted. If the claim is incomplete, the interested party will be required within five (5) business days following receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been withdrawn.

In the event that whoever receives the claim is not competent to resolve it, it will be transferred to the appropriate person within a maximum period of two (2) business days and the interested party will be informed of the situation.

4.4.2.- Once the complete claim has been received, a legend stating "claim in process" and the reason for the claim shall be included in the database within a term no longer than two (2) business days. Said legend shall be maintained until the claim is decided.

4.4.3.- The maximum term to address the claim shall be fifteen (15) business days from the day following the date of its receipt. When it is not possible to address the claim within such term, the interested party shall be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

4.5.- Inquiries and access to information.

Consultations of personal data contained in the database will be answered by written request through the e-mail calidad.sonestacali@ghlhoteles.com.

Queries will be answered within a maximum term of ten (10) working days from the date of receipt. When it is not possible to answer the consultation within such term, the interested party will be informed before the expiration of ten (10) working days, stating the reasons for the delay and indicating the date on which the consultation will be answered, which in no case may exceed five (5) working days following the expiration of the first term.

FIFTH: SECURITY.

5.1.- Security in the handling of information.

5.2.- Transfer and transmission of data.

SIXTH: DISSEMINATION AND VALIDITY

6.1.- Means of dissemination of information processing policies and privacy notice.

This document, which establishes the policies for the processing of information on personal data collected, will be permanently published on the link www.sonestacali.com so that it can be consulted by anyone interested.

6.2.- Entry into force of the information processing policies.

This document comes into force on February 22, 2014.

6.3.- Procedure for policy modification events.

In the event that modifications are made to the personal data processing policies set forth herein, they will be notified and communicated through this web page, prior to their entry into force.

6.4.- Incorporation of the terms and conditions of use of the website www.sonestacali.com.

In accordance with the applicable regulations, the information treatment policy is an integral part of the terms and conditions of use of the website www.sonestacali.com.

6.5. - Responsible for the information.

Any communication may be addressed to Calle 18 Norte No. 4N-08, Cali, or by e-mail to calidad.sonestacali@ghlhoteles.com.

Cookies Policy, More details can be found in our page Cookies Policy