POLICY OF TREATMENT OF PERSONAL DATA
MARQUILLAS Y ACCESORIOS S.A.

CHAPTER 1 PRELIMINARY PROVISIONS

ARTICLE 1. PURPOSE: The policy of treatment of personal data of Marquillas y Accesorios S.A., is built in order to establish the parameters under which should be treated and managed the personal data of natural persons that make up the databases under the responsibility of Marquillas y Accesorios S.A.

ARTICLE 2. SCOPE: This Policy of treatment of Personal Data shall apply to all Personal Data on which MARQUILLAS Y ACCESORIOS S.A. acts as responsible and / or responsible for the processing of personal data.

ARTICLE 3. IDENTIFICATION OF THE PERSONAL DATA PROCESSING CONTROLLER: MARQUILLAS Y ACCESORIOS S.A.: Company with address at Calle 86 No. 48-47 in the municipality of Itagüí, Antioquia, Colombia; telephone (+574) 4484009. Email: protecciondedatos@marquiacces.com.co.

ARTICLE 4. DEFINITIONS: For purposes of contextualization and understanding of this policy, the following terms shall be understood as follows:

1. Personal data: It is the set of information that can be linked to one or more natural persons.
2. Public data: It is all that contained in a public document, relating to the civil status of persons, their profession and trade, the quality of merchant or public servant; they are also public those that the law determines as such, and that are not classified as private or semi-private.
3. Semi-private data: Data whose knowledge or disclosure is of interest to the owner and to a specific group of persons.
4. Private Data: Any data whose knowledge or disclosure is of interest only to the owner due to its intimate or private nature.
5. Sensitive Data: Any private data whose improper use may lead to discrimination.
6. Personal data owner: Natural person who is related to the personal data or data.
7. Database: Organized set of personal data subject to processing by the person in charge or in charge of the controller or processor.
8. Controller: The natural or legal person authorized to process personal data.
9. Processor: This is the natural or legal person who processes personal data under the responsibility of the data controller.
10. Authorization: Permission granted by the owner for the processing of his/her data by any means, provided that it is prior, express and verifiable.
11. Transmission: Treatment given by the person in charge to the personal data, to communicate them outside or inside the national territory, under the responsibility of the person in charge.
12. Transfer: Processing given by the controller or processor by sending personal data to a controller, other than the sender, located inside or outside the country.

ARTICLE 5. DATA PROCESSING OFFICER: The personal data processing officer and responsible for handling requests, queries and claims shall be the Personal Data Processing Committee.

CHAPTER 2 CLASSIFICATION OF DATABASES

ARTICLE 6. TYPES OF DATABASES: within the activities of MARQUILLAS Y ACCESORIOS S.A., there are mainly the following databases that store personal data:

1. Suppliers database: It is the database in which data of natural or legal persons who provide goods and / or services to MARQUILLAS Y ACCESORIOS S.A. are collected, stored and used for its normal operation. However, only the personal data of natural persons who are in this database, identified as assets, will be subject to this policy.
2. Customer database: It is the database in which are collected, stored and used data of natural or legal persons who purchase or have purchased goods produced by MARQUILLAS Y ACCESORIOS S.A., and that can be collected by different means (Fairs, references, contact sellers). However, only the personal data of natural persons who are in this database, identified as assets, will be subject to this policy.
3. Database of employees and contractors: It is the database in which personal data of employees and contractors of MARQUILLAS Y ACCESORIOS S.A. are collected, stored and used. contractors of MARQUILLAS Y ACCESORIOS S.A. For the purposes of this database, there must be an employment or contractual relationship between the owners and the person responsible for the processing of personal data. For retired employees and contractors, their data will only be processed to give references, provide information to pension funds, EPS; or for any of the other purposes determined by law.
4. Database of fairs and events: It is the database in which personal data of persons attending fairs or events in which the data controller participates are collected, stored and used.
5. Database of partners: It is the database in which personal data of natural persons who are partners of MARQUILLAS Y ACCESORIOS S.A. are collected, stored and used.

ARTICLE 7. PERSONAL DATA COLLECTED, STORED AND USED BY MARQUILLAS Y ACCESORIOS S.A.: The responsible and / or (s) responsible for data processing, will collect, store and use the data that will feed the different types of databases contained in this policy. Additionally, in each format, survey, or other means of collection, you will be informed of the data to be treated according to the purposes contained in this policy.

CHAPTER 3 TREATMENT

ARTICLE 8. PURPOSES OF THE PROCESSING: MARQUILLAS Y ACCESORIOS S.A. in the development of its corporate purpose and its relations with third parties, understood as customers, employees, suppliers, creditors among others; constantly collects data to carry out various purposes and uses within which can be framed:

1. Maintain constant communication with the owners of the personal data, regarding the company’s activities, according to the profiles of each database defined in this policy.
2. Carrying out administrative, commercial, promotional, informational activities of marketing and sales.
3. To offer all kinds of commercial services; as well as to carry out promotional, marketing and advertising campaigns.
4. Search for a closer relationship with all its customers, suppliers, employees and related third parties.
5. Maintain a consolidation of the population that integrates the operation of the company, and the performance of statistics, surveys and other activities aimed at obtaining indicators or relevant information for the fulfillment of the institutional mission.
6. Share personal data or databases processed by MARQUILLAS Y ACCESORIOS S.A. to third parties that manage, assist or develop the execution of the company’s own activities or in compliance with legal provisions or business relationships with such third parties.
7. Evaluations in accordance with the company’s policies and quality standards.
8. Other purposes contemplated in MARQUILLAS Y ACCESORIOS S.A.’s Personal Data Processing Policy S.A.

In relation to the above, the responsible party may take the following actions:

● Obtain, store, compile, exchange, update, collect, process, reproduce and/or dispose of the partial or total data or information of those owners who grant due authorization in the terms required by law and in the formats deemed convenient in each case.
● Classify, sort, separate the information provided by the owner of the data.
● Conduct research, compare, verify and validate the data obtained in due form with credit bureaus with which it has commercial relations.
● To strengthen relationships with its customers, by sending relevant information, taking orders and attention to Requests, Complaints and Claims (PQR’s) by the customer service area, the evaluation of the quality of customer service and the invitation to events organized or sponsored or in which MARQUILLAS Y ACCESORIOS S.A. participates, among others.
● For the verification of your accounts payable balances;
● For the determination of outstanding obligations, the consultation of financial information and credit history and the reporting to information centers of unfulfilled obligations, with respect to its debtors.;
● For marketing, statistical, research and other commercial purposes that do not contravene the legislation in force in Colombia;
● Among other activities related to the purposes contained in the present policy.

ARTICLE 9. TRANSFERS AND TRANSMISSIONS FOR PROCESSING BY NATIONAL AND INTERNATIONAL THIRD PARTIES OF PERSONAL DATA PROVIDED TO MARQUILLAS Y ACCESORIOS S.A.: The acceptance of this policy by the holders of personal data implies acceptance of the possibility that MARQUILLAS Y ACCESORIOS S. A. to transfer or transmit all or part of the personal data to a third party in the country or abroad; the above in compliance with the rules governing the matter.

MARQUILLAS Y ACCESORIOS S.A. undertakes to inform the holders of the conditions under which the authorization was given; in turn, it will inform third parties that it may only process this data while the legal or contractual relationship with the company subsists.

ARTICLE 10. AUTHORIZATION: MARQUILLAS Y ACCESORIOS S.A. will process the data of the natural persons expressly authorizing it, in accordance with the procedures set out in this policy.

ARTICLE 11. PROCESSING OF SENSITIVE DATA: MARQUILLAS Y ACCESORIOS S.A. will only process sensitive data when the owner has expressly provided the authorization for its processing. In light of this, MARQUILLAS Y ACCESORIOS S.A., at the time of the collection of the data, will inform the holder that the data he will provide are sensitive, and the power that assists him to refrain from providing them.

ARTICLE 12. PROCESSING OF PERSONAL DATA OF CHILDREN AND ADOLESCENTS: MARQUILLAS Y ACCESORIOS S.A. will only process data of children and adolescents who have the character of public, with the prior authorization of parents for such treatment

CHAPTER 4 RIGHTS OF THE HOLDERS OF PERSONAL DATA

ARTICLE 13. RIGHTS: The natural persons whose Personal Data are subject to Processing by the Controller have the following rights, which they may exercise at any time:

1. To know the data on which THE COMPANY is performing the processing. Similarly, the Data Subject may request at any time that their data be updated or rectified, for example, if he finds that his data is partial, inaccurate, incomplete, fractioned, misleading, or those whose treatment is expressly prohibited or has not been authorized.
2. Request proof of the authorization granted to THE COMPANY for the processing of his/her Personal Data.
3. Be informed by THE COMPANY, upon request, regarding the use that it has given to their Personal Data.
4. File complaints before the Superintendence of Industry and Commerce for violations of the provisions of the Data Protection Law.
5. Request to THE COMPANY the deletion of his/her Data and/or revoke the authorization granted for the Processing of the same, by filing a claim, in accordance with the established procedures. However, the request for deletion of the information and the revocation of the authorization shall not proceed when the Data Subject has a legal duty to remain in the Database and/or Files, nor while the relationship between the Data Subject and THE COMPANY is in force, by virtue of which the data were collected. The foregoing without prejudice to the fact that in case of improper use of personal data by the data controller or persons in charge, the revocation must be made immediately.
6. Access free of charge to your Personal Data subject to Processing.

CHAPTER 5 PERSONAL DATA PROCESSING COMMITTEE

ARTICLE 14. CONFORMATION: The committee shall be composed of a representative of the Purchasing, Human Resources, Commercial and Production areas, who shall be appointed by the head of each area and shall be the same during the entire period of the committee.

PARAGRAPH: The chairman of the committee shall be elected by half plus one of the members, and shall be the articulator of the entire management of the processing of personal data.

ARTICLE 15. TERM OF THE COMMITTEE: The committee shall be formed annually, in the month of June of each year. The members may be re-elected without limitation.
ARTICLE 16. FUNCTIONS OF THE COMMITTEE:

1. Custody of authorizations and agreements for the processing of personal data that are in charge of Marquillas y Accesorios S.A., either as responsible or in charge.
2. To respond to requests, complaints and claims related to the processing of personal data, and the rights of the owners of such data.
3. Coordinate actions to improve the management of personal data processing.
4. Suggest the implementation of policies aimed at the security of the information under the company’s custody.

CHAPTER 6 PROCEDURES

ARTICLE 17. PROCEDURES FOR THE EXERCISE OF THE RIGHTS OF THE PERSONAL DATA OWNERS: The procedures described below may only be exercised by the Data Subject, his assignees or representatives, whenever the identity or representation is previously accredited.

In all procedures the holder or his representatives must indicate at least their full name, their contact details which must include: an email address, an address for sending correspondence, a contact telephone or cell phone and the indication that they are acting on their own behalf or the accreditation of being acting on behalf of another, when applicable, by means of a duly granted power of attorney. At the same time, they must indicate the personal data on which the request is based and must provide the documents or other elements that respond or support the request. Finally, in any of the requests, the holder or his/her representative must indicate the medium, the event or any other information that allows establishing the database containing the data subject of the request.

1. Procedure to know the personal data processed by MARQUILLAS Y ACCESORIOS S.A.: The owner of the personal data or their representatives may submit a request to MARQUILLAS Y ACCESORIOS S.A. and/or the person in charge of the data processing to allow him/her to know the data that have been collected, stored and/or used.
   1. The holder must send a written request to the email protecciondedatos@marquiacces.com.co, or to Calle 86 No. 48 – 47 in the municipality of Itagüí; promptly indicating the purpose of the request and a brief reason for it. You must also indicate your full name, your contact information, which must be at least: email, correspondence address, telephone or cellular contact, and the indication that you are acting on your own behalf, or the accreditation of being acting on behalf of another. In the case of not being an heir or successor in title, representation must be evidenced by means of a duly granted power of attorney.
   2. MARQUILLAS Y ACCESORIOS S.A., through its data processing officer will review and respond to the request within a maximum period of 10 working days, counted from the date of receipt of the request. If it is not possible to attend the request within this term, the holder will be notified of the reason why the request cannot be attended within the term and the date on which the request will be attended, which in no case may exceed 5 working days from the expiration of the first term.
2. Procedure to correct, update, rectify or delete personal data processed by MARQUILLAS Y ACCESORIOS S.A.: The owner of the personal data or their representatives may submit a request to MARQUILLAS Y ACCESORIOS S.A. and/or the data processor to have their personal data processed by the company corrected, updated or deleted if they so wish or if they consider that there is a breach of any of the duties contained in the General Personal Data Protection Regime or in these policies, by following the following procedure:
   1. The holder or his representative shall submit a request addressed to the data controller or data processor indicating: the identification of the holder, the description of the facts that give rise to the claim, the address and other contact details of the holder. Likewise, the holder or his representative shall accompany the request with the documents that corroborate the same.
   2. Once the request is received in due form, and within a term not exceeding two working days from the date of receipt thereof, the phrase “Claim personal data in process” and the reason for the same will be included in the database, which will be kept in the database until the request has been decided. Likewise, there will be two working days to transfer the request to the person competent to deal with it, if the person who receives it is not entitled to answer it.
   3. The person responsible or in charge of the treatment will have 15 working days from the day following the reception of the request to attend it; if it is not possible to attend the request in the indicated term, MARQUILLAS Y ACCESORIOS S.A. will inform the interested party, indicating the reasons and informing him/her the date in which his/her request will be solved. In no case the new date may exceed eight working days after the expiration of the initial term.
   4. Paragraph: The suppression of personal data may not be granted upon request made by the owner or his representative, when there is a legal or contractual duty for the data to remain in the database.
3. Procedure to revoke the authorization given to MARQUILLAS Y ACCESORIOS S.A. to process personal data: The owner of the personal data or his representative, may revoke the authorization given to MARQUILLAS Y ACCESORIOS S.A. for the processing of their personal data, by submitting a request addressed to the data controller or the person in charge thereof, in which the purpose of the request is specified. To process the request, the procedure established in the procedure for correcting, updating, rectifying or deleting personal data processed by MARQUILLAS Y ACCESORIOS S.A

ARTICLE 18. RIGHT OF CONSULTATION: The holders of personal data are informed that they have the right to know free of charge the data that they have in the databases processed by MARQUILLAS Y ACCESORIOS S.A., at least once every calendar month or whenever substantial modifications are made to these policies.

ARTICLE 19. INFORMATION OBTAINED PASSIVELY: When accessing or using the services contained within the websites of THE COMPANY, it may collect information passively through technologies for the management of information, such as “cookies”, through which information is collected about the hardware and software of the equipment, IP address, browser type, operating system, domain name, access time and the addresses of the websites of origin; through the use of these tools do not directly collect Personal Data of users. Information will also be collected about the pages that the person visits most frequently on these websites in order to know their browsing habits. However, the user of the websites of THE COMPANY has the possibility to configure the operation of cookies, according to the options of your Internet browser.

ARTICLE 20. DATA SECURITY: THE COMPANY, in strict application of the Data Processing Security Principle, shall provide the necessary technical, human and administrative application of the Data Processing Security Principle, shall provide the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access. The obligation and responsibility of THE COMPANY is limited to have the appropriate means for this purpose. THE COMPANY does not guarantee the total security of its information nor is it responsible for any consequence derived from technical failures or improper access by third parties to the Database or File in which the Personal Data subject to Processing is stored by THE COMPANY and its Agents. THE COMPANY shall require the service providers it hires to adopt and comply with the appropriate technical, human and administrative measures for the protection of the Data in relation to which such providers act as Processors.

ARTICLE 21. APPLICABLE LEGISLATION: This Personal Data Protection Policy, the Privacy Notice, the Authorization Form that is part of this Policy, and other Annexes, are governed by the provisions of the current legislation on Data protection referred to in Article 15 of the Political Constitution of Colombia, Law 1266 of 2008, Law 1581 of 2012, Decree 1377 of 2013, and other regulations that modify, repeal or replace them.

ARTICLE 22. VALIDITY: this Personal Data Protection Policy is effective as of June 9, 2017.