PRIVACY POLICY AND PERSONAL DATA PROCESSING – TURMEQUÉ

1. GENERAL PROVISIONS

In accordance with Article 15 of the Political Constitution of Colombia, the right to personal data protection is the right that every person has to know, update, rectify, and/or cancel the information and personal data collected about them and/or processed in public or private databases. Likewise, Statutory Law 1581 of 2012, which sets out general provisions for the protection of personal data, establishes in Articles 17 and 18 the duties of those responsible for and in charge of the processing of Personal Data, among which is the obligation to adopt an internal policy and procedures manual to ensure proper compliance with the personal data protection law. In the same vein, Decree 1377 of 2013, which partially regulates Statutory Law 1581 of 2012, establishes aspects inherent to the content and requirements of Personal Data Processing Policies and Privacy Notices. Equally, Law 2300 of 2023 establishes certain measures to protect consumers’ right to privacy by setting channels, schedules, and frequency for commercial relationships when using short text messages, email, and telephone calls for commercial and advertising purposes.

In this context, MISCELNEA TURMEQUÉ S.A.S. is consistent with its responsibilities regarding the protection of personal data of all persons with whom it has a relationship through any channel that at some point involves access to their personal data, especially the adoption of a policy for the use and handling of personal information held in its databases in the ordinary course of its business, service provision, purchase and sale of products, and any type of pre-contractual and contractual relationship. For this reason, this policy applies to all personal information of Data Subjects, including users, employees, contractors, suppliers, advisors, consumers, shareholders, representatives, visitors, or any person who for any reason provides information to TURMEQUÉ, its commercial establishments, website, and social media, as long as it involves the processing of personal data. Finally, TURMEQUÉ may at any time update this policy in light of regulatory developments, legal recommendations, administrative and/or judicial orders, which will be notified to all Personal Data Subjects by sending and/or publishing the updates through the channels made available by TURMEQUÉ. For this reason, Data Subjects are encouraged to regularly review this policy to ensure they are aware of the most recent version. Data Subjects may consult this policy by requesting it at the commercial establishments or by consulting it directly at www.tejoturmeque.com

2. GENERAL OBJECTIVE

The purpose of this policy is to provide a guarantee of confidentiality and security in the Processing of Personal Data that is lawfully collected, processed, stored, circulated, deleted, and/or modified by TURMEQUÉ from Data Subjects, users, employees, contractors, suppliers, advisors, consumers, shareholders, representatives, visitors, or any person who for any reason provides information to TURMEQUÉ, in accordance with Colombian regulations and this policy.

3. MANDATORY COMPLIANCE

This policy is mandatory for TURMEQUÉ, as well as for Data Subjects, users, employees, contractors, suppliers, advisors, consumers, shareholders, representatives, visitors, or any person who for any reason provides information to TURMEQUÉ, as long as it involves the processing of personal data. Thus, any action related to Personal Data and Processing will be governed by this policy and, in matters not covered herein, by applicable law. Any breach of the policy will result in contractual sanctions. This is without prejudice to the legal duty to be financially responsible for any damages and losses caused to the Data Subjects or TURMEQUÉ as a result of non-compliance with the Policy or the improper processing of the Data Subjects’ personal data.

4. DEFINITIONS

For the purposes of this policy and based on Law 1581 of 2012 and other concordant regulations, the following definitions are established, which shall be applied and implemented consistently, always embracing the principle of favorable interpretation and, in particular, taking into account advances in criteria and definitions applicable at the time of interpretation:

• Authorization: Prior, express, and informed consent given by a Data Subject to allow the Processing of their Personal Data by the Data Controller.
• Privacy Notice: Electronic and/or physical document generated by the Data Controller, made available to the Data Subject containing information regarding the existence of the Information Processing Policies that will apply to them, how to access them, and the characteristics and purposes of the Processing intended for the personal data.
• Database: Organized set of personal data that is subject to Processing.
• Query: Verbal or written request from the Data Subject or persons authorized by them or by law to access the personal data held or stored in a database.
• Personal Data: Any information linked to or that can be associated with one or more identified or identifiable natural persons. Data may be public, semi-private, private, or sensitive.
• Private Data: Data that, by its intimate or reserved nature, is only relevant to the Data Subject.
• Public Data: Data that is neither semi-private, private, nor sensitive. Public data includes, among others, data relating to a person’s civil status, profession or trade, and their status as a merchant or public servant. By its nature, public data may be contained, among other sources, in public records, public documents, official gazettes and bulletins, and duly final judicial rulings not subject to confidentiality.
• Semi-Private Data: Data that is neither intimate, reserved, nor public in nature, and whose knowledge or disclosure may interest not only the Data Subject but also a certain sector or group of persons or society at large, such as financial and credit data relating to commercial or service activity.
• Sensitive Data: Data that affects the personal privacy of the Data Subject or whose improper use may lead to discrimination. This includes data related to racial or ethnic origin, membership in trade unions, social or human rights organizations, political or religious convictions, sexual life, biometric data, or health data. The Data Subject may decline to provide this information.
• Rights of children and adolescents: In Processing, the prevailing rights of children and adolescents shall be respected. Only data of a public nature, or data provided by their legal representatives, may be processed.
• Data Processor: A natural or legal person, public or private, that alone or in association with others carries out the Processing of Personal Data on behalf of the Data Controller.
• Habeas Data: The right of any person to know, update, and rectify information collected about them in databases and files of public and private entities.
• Internal Mechanisms: Those adopted by the responsible area to implement internal policies, including implementation tools, security, training, and education programs.
• Platform/site/page/website: Web development that enables and facilitates USERS’ access to the services offered by tejoturmeque.com. This refers to all web content of tejoturmeque.com and all links, microsites, pop-ups, notices, announcements, pages, blog posts, and content derived from tejoturmeque.com. This refers to TURMEQUÉ.
• Claim: Verbal or written request from the Data Subject or persons authorized by them or by law to update, correct, or delete the personal data held or stored in a database.
• Data Controller: A natural or legal person, public or private, that alone or in association with others decides on the Database and/or the processing of the data.
• Data Subject: The natural person whose Personal Data is subject to processing.
• Transfer: Data transfer takes place when the Data Controller and/or Data Processor, located in Colombia, sends information or Personal Data to a recipient who is also a Data Controller and is located within or outside Colombian territory, in accordance with the authorized purpose set out in this policy.
• Transmission: Processing of Personal Data that involves communicating such data within or outside the territory of the Republic of Colombia when the purpose is to carry out Processing by the Data Processor on behalf of the Data Controller, in accordance with the authorized purpose set out in this policy.
• Processing: Any operation or set of operations performed on Personal Data, such as collection, storage, use, circulation, transfer, transmission, or deletion.
• User/users: A natural or legal person who accesses, browses, or uses the services or carries out any type of activity, such as reservations, queries, purchases, purchase intent, quotes, and/or any other activity, whether free or paid, through the site. This includes employees, contractors, suppliers, advisors, consumers, shareholders, representatives, visitors, or any person who for any reason provides information to TURMEQUÉ.

5. APPLICABLE REGULATIONS

• a. Political Constitution, Articles 15 and 20
• b. Statutory Law 1266 of 2008
• c. Statutory Law 1581 of 2012
• d. Law 2300 of 2023
• e. Decree 1727 of 2009
• f. Decree 2952 of 2010
• g. Decree 1377 of 2013
• h. Decree 886 of 2014
• i. Decree 1074 of 2015

6. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

For the interpretation, development of activities, and regulatory application, regardless of type, the harmonious application of the following principles shall apply throughout:

• 6.1. Principle of legality in Personal Data Processing: In the capture, collection, use, and processing of personal data, TURMEQUÉ shall apply Article 15 of the Political Constitution; Statutory Law 1581 of 2012; Decree 1377 of 2013; and other current and applicable regulations governing the processing of personal data and other related fundamental rights, with special emphasis on those mentioned in the “Applicable Regulations” section.
• 6.2. Principle of purpose: The capture, collection, use, and processing of personal data by TURMEQUÉ, or to which TURMEQUÉ has access, shall serve a legitimate purpose in accordance with the Constitution and applicable laws, which must be disclosed to the Data Subject.
• 6.3. Principle of freedom: The capture, collection, use, and processing of personal data may only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization. Processing may, however, take place if ordered by law, a court, and/or an administrative authority.
• 6.4. Principle of accuracy or quality: Information subject to capture, collection, use, and processing of personal data must be truthful, complete, accurate, up-to-date, verifiable, and comprehensible. The Processing of partial, incomplete, fragmented, or misleading data is prohibited.
• 6.5. Principle of transparency: In the capture, collection, use, and processing of personal data, the Data Subject’s right must be guaranteed to obtain from TURMEQUÉ, at any time and without restrictions, information about the existence of data concerning them.
• 6.6. Principle of restricted access and circulation: The capture, collection, use, and processing of personal data is subject to the limits arising from the nature of personal data and from the current and applicable regulations governing the processing of personal data and other related fundamental rights. In this sense, personal data, except for public information, shall not be available on the Internet or other mass disclosure or communication media, unless access is technically controlled to provide restricted knowledge only to Data Subjects or authorized third parties as permitted by law.
• 6.7. Principle of security: Information subject to capture, collection, use, and processing by TURMEQUÉ shall be handled with the necessary existing technical, human, and administrative measures to provide security for the records, preventing their alteration, loss, unauthorized or fraudulent use or access.
• 6.8. Principle of confidentiality: All persons involved in the administration, management, and updating, or who have access to information contained in Databases that is not of a public nature, are obligated at all times to maintain the confidentiality of such information, even after their relationship with any of the tasks comprising the Processing of information has ended. They may only share or communicate personal data when doing so corresponds to the development of activities authorized by current and applicable regulations governing the processing of personal data and other related fundamental rights.
• 6.9. Principle of temporality: Personal data shall be retained only for the reasonable and necessary time to fulfill the purposes that justified its processing, taking into account the provisions applicable to the subject matter and the administrative, accounting, tax, legal, and historical aspects of the information. Data shall be retained when necessary for compliance with a legal or contractual obligation. Once the processing purpose and the terms established above have been fulfilled, the data shall be deleted.

7. PERSONAL DATA PROCESSING CONTROLLERS

The controller responsible for the capture, collection, use, and processing of your personal data is:

• Company name: MISCELNEA TURMEQUÉ S.A.S.
• NIT: 901374794-2
• Physical address: Avenida 19#117-04
• Electronic notification address: reservas@tejoturmeque.com
• Contact phone: 3505007546

COMMERCIAL ESTABLISHMENTS OF THE CONTROLLER WHERE THIS POLICY APPLIES:

• Tejo Turmequé Chapinero
• Turmequé Santa Bárbara

8. DUTIES AS PERSONAL DATA PROCESSING CONTROLLER

TURMEQUÉ shall have the following duties as Data Controller:

• 8.1. Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data;
• 8.2. Request and retain, under the conditions set out in current regulations, a copy of the respective authorization granted by the Data Subject;
• 8.3. Duly inform the Data Subject of the purpose of the collection and the rights they have by virtue of the authorization granted;
• 8.4. Retain the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access;
• 8.5. Ensure that the information provided to the Data Processor is truthful, complete, accurate, up-to-date, verifiable, and comprehensible;
• 8.6. Update the information, promptly notifying the Data Processor of all changes to data previously provided, and adopting any other measures necessary to keep the information provided to them up to date;
• 8.7. Rectify the information when it is incorrect and notify the Data Processor accordingly;
• 8.8. Provide the Data Processor, as applicable, only with data whose Processing has been previously authorized in accordance with current regulations;
• 8.9. Demand from the Data Processor at all times compliance with the security and privacy conditions of the Data Subject’s information;
• 8.10. Handle queries and claims filed under the terms set out in current regulations;
• 8.11. Adopt an internal policy and procedures manual to ensure proper compliance with current regulations, and in particular for handling queries and claims;
• 8.12. Notify the Data Processor when certain information is in dispute by the Data Subject, once the claim has been filed and before the respective procedure has concluded;
• 8.13. Inform the Data Subject upon request about the use made of their data;
• 8.14. Notify the data protection authority when security code breaches occur and risks exist in the management of Data Subjects’ information; and
• 8.15. Comply with the instructions and requirements issued by the Superintendencia de Industria y Comercio.

9. TYPE OF INFORMATION COLLECTED BY TURMEQUÉ

• 9.1. Data at the time of managing a reservation, contract, relationship, interaction, purchase, sale, supply, and/or any other commercial, civil, free, or paid activity, such as first name, last name, age, nationality, identity document, domicile, profession or trade, gender, photograph, contact phone number, email address, and other information related to the identification of the USER.
• 9.2. Data entered by USERS when making a request to access a service, acquire a product, make reservations, or participate in events, activities, contests, and interactions on social media.
• 9.3. USER data related to payment for the service, such as payment information, payment method details, billing, shipping, and contact information.
• 9.4. Data related to the use of the website, social media, and WhatsApp, such as content viewed by the USER, features used, actions taken, entry date and time, frequency of service use, purchase intent, visit frequency, IP address, and browsing history.
• 9.5. Data related to USERS’ interests, actions, and connections, for the selection of advertisements and publicity.

10. PURPOSE OF PERSONAL DATA PROCESSING

Within the framework of the rights to privacy, good name, image, and other Constitutional rights, TURMEQUÉ shall only use personal data that the Data Subject has previously and expressly authorized, always within the ordinary course of TURMEQUÉ’s business:

USERS

• Establish commercial, contractual, social, and labor relationships between TURMEQUÉ and USERS.
• Provide the services offered to USERS through TURMEQUÉ;
• Make offers of TURMEQUÉ services or products;
• Execute internal research processes, market studies, and consumer behavior analysis by TURMEQUÉ;
• Prepare demographic studies by TURMEQUÉ;
• Update TURMEQUÉ’s Databases.
• Send emails, text messages, WhatsApp communications, or other communications related to the provision of TURMEQUÉ’s services;
• Carry out legal guarantee acts, collections, purchases, sales, loans, and commercial transactions by TURMEQUÉ and USERS;
• Transmit data to third parties for commercial, administrative, marketing, and/or operational purposes;
• Process all information necessary for compliance with tax obligations and commercial, corporate, and accounting records;
• Carry out fraud and money laundering prevention and control, consult restricted lists, and gather all information required to carry out ML/TF verification procedures.
• Maintain and process any type of information related to the Data Subject in order to offer them services and products.
• In the case of biometric data captured through video surveillance or recording systems, the processing shall aim at identification, security, and the prevention of internal and external fraud.
• Evaluate the quality of the services and products provided and marketed by TURMEQUÉ.
• Process, fulfill, and provide reservation requests, delivery services, and the provision of services at any of TURMEQUÉ’s commercial establishments.
• Send and share commercial information about activities, events, invitations, and any other matter related to those carried out by TURMEQUÉ, regarding launches, promotions, participation, contests, or simply the promotion of products and services.

EMPLOYEES / SHAREHOLDERS

• Carry out the activities necessary to comply with legal obligations in relation to the Company’s current and former employees.
• Monitor compliance with requirements related to the General Social Security System.
• In the case of biometric data captured through video surveillance or recording systems, the processing shall aim at identification, security, and the prevention of internal and external fraud.
• Personal data of minors shall be processed for the purpose of complying with legal obligations.
• Inform and communicate the general details of events organized by the Company through the channels and in the manner deemed appropriate.
• In the case of candidates in selection processes, the personal data processed shall aim to carry out the activities of the selection processes; resumes shall be handled in accordance with the principle of restricted access.
• Manage the Company’s financial and budgetary activities: entity payments, issuance of income and withholding certificates (natural and legal persons), and payment records and accounting management.

SUPPLIERS AND CONTRACTORS

• For all purposes related to the subject of selection, contractual processes, or those related thereto.
• Carry out all internal procedures and compliance with accounting, tax, and legal obligations.
• Manage the Company’s financial and budgetary activities: entity payments, issuance of income and withholding certificates (natural and legal persons), and payment records and accounting management.
• Carry out all activities necessary for compliance with the different contractual stages in relationships with suppliers and contractors.
• Issue contractual certifications requested by the Company’s contractors in fulfillment of their legal and contractual obligations.
• Maintain a digital archive that provides information corresponding to each contract.
• Any other purposes determined in processes of obtaining Personal Data for processing, and in all cases in accordance with the Law and within the framework of the functions attributable thereto.
• In the case of biometric data captured through video surveillance or recording systems, the processing shall aim at identification, security, and the prevention of internal and external fraud.

The collection of personal data and its automated processing aims to facilitate the management, administration, improvement, and expansion of the various services, the management or follow-up of incidents, as well as the sending of communications and any other purpose that TURMEQUÉ may require in the exercise of its corporate purpose. Information shall equally be collected for the purpose of generating advertising, offers, and announcements.

11. PRIVACY NOTICE

The Privacy Notice is the electronic or any other format document through which the Data Subject is informed of information relating to the existence of the information processing policies applicable to them, how to access these policies, and the characteristics of the Processing intended for Personal Data. The Privacy Notice shall contain, at a minimum, the following information:

• a. The identity, domicile, and contact details of the Data Controller.
• b. The type of processing to which the data will be subjected and the purpose thereof.
• c. The general mechanisms made available by the Data Controller so that the Data Subject can learn about the information processing policy and any substantial changes made to it.

12. DATA SUBJECT AUTHORIZATION

Authorization for the Processing of Personal Data must be obtained prior to, expressly, and with the consent of the Data Subject, in order to Process their Personal Data, without prejudice to the exceptions set out in current and applicable regulations. Authorization may be obtained by any means that can be subsequently consulted and verified, such as an electronic document, telephone calls, a data message with any technical or technological mechanism that allows consent to be expressed or obtained via click or double click. Authorization shall always be governed by the principles established in the Law and in this policy.

• 12.1. Authorization for the Processing of Personal Data shall be granted by:
  a. The Data Subject, who must sufficiently prove their identity.
  b. The representative and/or attorney-in-fact of the Data Subject, upon prior accreditation of the representation or power of attorney.
• 12.2. How to obtain authorization: Regardless of the means by which Authorization for the Processing of Personal Data was obtained, it is necessary to retain proof of the Authorization granted by Data Subjects to TURMEQUÉ, for which purpose TURMEQUÉ shall use the available mechanisms and adopt the necessary measures to maintain a record of the form, date, and manner in which Authorization was obtained. To this end, TURMEQUÉ may obtain proof of processing authorization through physical and/or electronic means, whether through its application, website, by telephone, or by any other suitable means by which the Data Subject provides such authorization. It shall be understood that, from the moment of use of the Website and acceptance of the Website Terms and Conditions of Use by the USER, they are aware of this Privacy Policy and its updates, so that such event shall serve as proof of authorization for the use of their data. The same provisions shall apply when the USER uses TURMEQUÉ’s social media, its reservation system whether online or via WhatsApp, when acquiring products and/or services, when intending to use them, when entering into contracts, agreements, or any type of civil and/or commercial relationship with TURMEQUÉ, or simply when accessing its commercial establishments or TURMEQUÉ’s facilities.
• 12.3. Cases where authorization is not required: Authorization from the Data Subject shall not be necessary when:
  a. The information is required by a public or administrative entity in the exercise of its legal functions or by court order.
  b. The data is public in nature.
  c. There is a medical or sanitary emergency.
  d. The information has been authorized by law for historical, statistical, or scientific purposes.
  e. The data is related to the Civil Registry of Persons.

13. RIGHTS OF PERSONAL DATA SUBJECTS

In accordance with Law 1581 of 2012 and its regulatory decrees, all Personal Data Subjects have the following rights regarding the processing of their data:

• a. To know, update, and rectify their personal data with the Data Controllers or Data Processors. This right may be exercised, among other cases, with respect to partial, inaccurate, incomplete, fragmented, or misleading data, or data whose Processing is expressly prohibited or has not been authorized;
• b. To request proof of the authorization granted to the Data Controller, except when it is expressly exempted as a requirement for Processing;
• c. To be informed by the Data Controller or Data Processor, upon request, regarding the use given to their personal data;
• d. To file complaints with the Superintendencia de Industria y Comercio for infringements of the Personal Data Protection Regime and other regulations that modify, supplement, or complement it;
• e. To revoke authorization and/or request deletion of the data when the Processing does not respect the constitutional and legal principles, rights, and guarantees;
• f. To access their personal data that has been subject to Processing, free of charge.

14. SENSITIVE DATA

In accordance with the current and applicable regulations regarding the processing of personal data and other fundamental rights determined by connection, and with this Personal Data Processing Policy, sensitive data is understood to mean data related to the personal privacy of the Data Subject, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social or human rights organizations, or organizations that promote the interests of any political party or that guarantee the rights of opposition political parties, as well as data related to health or sexual life, and biometric data, such as fingerprints, photographs, iris scans, voice recognition, facial recognition, or palm recognition.

14.1. Processing of Sensitive Data

TURMEQUÉ may capture, collect, use, and process data classified as sensitive when:

• a. The Data Subject has given their prior and explicit authorization for such processing, except in cases where the law does not require such authorization to be granted.
• b. Processing is necessary to safeguard the vital interest of the Data Subject and the latter is physically or legally incapacitated. In such cases, the legal representatives must grant their authorization.
• c. Processing is carried out in the course of legitimate activities and with proper guarantees by a foundation, NGO, association, or any other non-profit organization whose purpose is political, philosophical, religious, or trade union in nature, provided it refers exclusively to its members or to persons who have regular contact with it by reason of its purpose. In such cases, the data may not be provided to third parties without the Data Subject’s authorization.
• d. Processing refers to data necessary for the recognition, exercise, or defense of a right in judicial proceedings.
• e. Processing has a historical, statistical, or scientific purpose. In this case, measures aimed at the removal of the Data Subjects’ identity must be adopted.

15. PERSONAL DATA OF CHILDREN AND ADOLESCENTS

In the capture, collection, use, and processing of personal data held in TURMEQUÉ’s databases regarding children and adolescents, respect for the prevailing rights of minors shall be ensured. Any use of data of minors registered in TURMEQUÉ’s databases, or that may eventually be requested, must be expressly authorized by the legal representative of the child or adolescent, provided that: i) It respects and upholds the best interests of minors. ii) Respect for the fundamental rights of minors is ensured. iii) A proper written document is in place whereby the parents or, failing that, the legal representative, grants Authorization for the Processing of Personal Data of the minor, following the minor’s exercise of their right to be heard, taking into account the maturity, autonomy, and capacity of the minor to understand the matter. Similarly, TURMEQUÉ shall facilitate for the legal representatives of minors the possibility of exercising the rights of access, cancellation, rectification, and objection regarding the data of their wards. Data of minors that TURMEQUÉ THE WEBSITE may hold is exclusively for the purpose of providing those legal services that involve minors.

16. TRANSMISSION AND/OR TRANSFER

Databases or files shall not be provided to third parties, except with the express authorization of the Data Subject or in the cases provided for by law. The transfer and/or Transmission of data of USERS, collaborators, suppliers, contractors, and employees of TURMEQUÉ to third parties shall be carried out solely and exclusively for purposes corresponding to the corporate purpose and ordinary course of business of TURMEQUÉ, guaranteeing the rights and information of the Data Subject, a fact that is understood to be known and authorized from the moment of acceptance of this document. Should TURMEQUÉ carry out the transmission or transfer of Personal Data, the applicable regulations shall be observed, particularly the following rules:

• a. The Data Subject has granted their express and unambiguous authorization for the transfer;
• b. Exchange of medical data, when required for the treatment of the Data Subject for health or public hygiene reasons;
• c. Banking and stock market transfers, in accordance with the applicable legislation;
• d. Transfers agreed upon within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity;
• e. Transfers necessary for the performance of a contract between the Data Subject and the Data Controller or for the execution of pre-contractual measures, provided that the Data Subject’s authorization has been obtained; and
• f. Transfers legally required for the safeguarding of the public interest, or for the recognition, exercise, or defense of a right in judicial proceedings.

17. DATA CAPTURE THROUGH VIDEO SURVEILLANCE

TURMEQUÉ operates video surveillance systems aimed at complying with physical security policies, in accordance with the parameters set out in the Guide for the Protection of Personal Data in Video Surveillance Systems, issued by the SIC as the supervisory authority. Images must be retained for a maximum period of 90 days. If an image is the subject of or evidence in a claim, complaint, or any judicial proceeding, it shall be retained until such proceeding is resolved. Only authorized personnel shall have access to images captured by the video surveillance system.

18. AUTOMATIC COLLECTION OF INFORMATION THROUGH USE OF THE WEBSITE

TURMEQUÉ shall automatically collect, upon access to and use of the WEBSITE by USERS and third parties, information such as the Internet Protocol (IP) address, browser type, nature of the device used to access the WEBSITE, mobile or portable device identifier, actions taken on and through the WEBSITE, content and features accessed by the USER, information on reading, opening, and forwarding of email messages. Information shall be collected automatically through technologies such as standard server logs, cookies, and web beacons — web bugs. Automatically collected information shall be gathered by TURMEQUÉ to operate, manage, and improve service provision and systems through the WEBSITE. If automatically collected information is linked to or associated with personal information, such combined information shall be treated as personal information in accordance with this policy.

19. SECURITY MEASURES ADOPTED IN RELATION TO THE PROCESSING OF PERSONAL DATA

TURMEQUÉ, in application of the Security Principle in Personal Data Processing, shall provide the necessary technical, human, and administrative measures to ensure the security of the data, preventing its alteration, loss, consultation, unauthorized or fraudulent use or access.

• 19.1. Access to information: Databases consolidated in electronic files shall have a backup copy assigned the same security key as the main file, and access shall be limited to authorized personnel designated by TURMEQUÉ, who may access them when necessary and/or requested by the Data Subject in the cases established in this document, by law, and/or by judicial and/or administrative orders.
• 19.2. Protection mechanisms: TURMEQUÉ has set up communication channels for USERS through which they may exercise their rights, such as updating, rectifying, and deleting personal data, and through which they may also report when any type of information infringes laws, regulations, or this policy, all of which shall be evaluated by TURMEQUÉ in accordance with the provisions of this document.

20. PROCEDURES FOR EXERCISING THE RIGHTS OF PERSONAL DATA SUBJECTS

THE USER may exercise their right to know, update, rectify, and delete the personal data provided to TURMEQUÉ by sending a communication, at any time and free of charge, to the following email address reservas@tejoturmeque.com or through the CONTACT US option available on the WEBSITE at www.tejoturmeque.com, and in person at the address Avenida 19#117-04. Communications shall be handled and processed by the administrative team, who will have access to the email set up to receive queries or complaints; a record of receipt and processing of each request shall always be kept. Furthermore, in accordance with Article 20 of Decree 1377 of 2013 and Law 1581 of 2012, the rights of Data Subjects established by law may be exercised by:

• a. The Data Subject, who must sufficiently prove their identity through the various means made available by the Data Controller.
• b. Their heirs, who must prove such status.
• c. The representative and/or attorney-in-fact of the Data Subject, upon prior accreditation of the representation or power of attorney.
• d. By stipulation in favor of another or for another.
• e. Persons authorized to represent the rights of children and adolescents.

The petition or right exercised by the Personal Data Subject must contain:

• a. The USER’s first and last name.
• b. Contact details for receiving notifications.
• c. Documents that duly certify legal representation, heir status, legal standing, or power of attorney to act, if applicable.
• d. A clear and precise description of the personal data regarding which the Data Subject seeks to exercise any of their rights.