PERSONAL DATA TREATMENT AND PROTECTION POLICY

In compliance with the provisions of statutory law 1581 of 2012 and its regulatory decrees, ANDES TOURS SAS establishes the general policy and applicable guidelines for the treatment and protection of personal data.

1. OBJECTIVE

To establish general guidelines for the treatment and protection of personal data handled by ANDES TOURS SAS in compliance with law 1581 of 2012, its regulatory decrees and other regulations that repeal, modify or complement them.

2. SCOPE

This personal data treatment and protection policy shall be applied to all databases and files that include personal data that are subject to treatment by ANDES TOURS SAS as responsible for the treatment and protection of personal data.

3. DEFINITIONS

For the purposes of this policy, the definitions contained in law 1581 of 2012 are included, and shall be understood as:

Authorization: Prior, express and informed consent of the data subject to carry out the treatment of personal data.

Privacy notice: The physical, electronic or any other known or unknown format document that is made available to the data subject in order to inform about the treatment of their personal data.

Database: Organized set of personal data that is subject to treatment in accordance with the law.

Successor in interest: Person who by succession or transmission acquires the rights of another person.

Personal data: Any information linked or that can be associated with one or more specific or identifiable natural persons.

Sensitive data: Those that affect the privacy of the data subject or whose misuse may generate discrimination, such as, for example: those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations or human rights, data related to health, sexual life and biometric data.

Data Controller: Natural or legal person, public or private, who by themselves or in association with others, performs the treatment of personal data on behalf of the data controller.

Data Controller: Natural or legal person, public or private, who by themselves or in association with others, decides on the database and the treatment of data.

Data Subject: Natural person whose personal data is subject to treatment.

Transfer: Data transfer takes place when the controller and processor of personal data located in Colombia sends the information or personal data to a recipient, who in turn is responsible for the treatment and is located within or outside the country.

Transmission: Treatment of personal data that involves communication thereof within or outside Colombian territory when it aims to carry out treatment by the processor on behalf of the controller.

Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

4. IDENTIFICATION OF THE CONTROLLER

Company Name: ANDES TOURS SAS
Tax ID: 860.031.954-4
Address: Carrera 9 No. 74 – 08 Local 103 – Bogotá, Colombia
Email: info@andestours.com.co

5. INFORMATION TREATMENT

5.1. Legal compliance: ANDES TOURS SAS, hereinafter the Company, strictly complies with legal requirements regarding the treatment and protection of personal data, especially law 1581 of 2012, its regulatory decrees and other regulations that repeal, modify or complement them.

5.2. Purpose: The Company informs data subjects of the specific purpose of the treatment of their personal data, which in all cases shall have as its main purpose to carry out the administrative, commercial, accounting, fiscal, and operational management of the Company; as well as the development of welfare, health, cultural activities, and to ensure the safety of persons and property related to the Company’s activity.

The Company deletes personal data collected when it is no longer necessary or relevant for the purpose for which it was obtained, or when the data subject requests it in accordance with the law.

5.3. Authorization: The Company shall exercise the treatment of information with the prior, express and informed consent of the data subject, which shall be obtained through any means that can be subsequently consulted.

The Company requests authorization from every data subject of whom it performs personal data treatment, provided they are natural persons, so that their data can be treated in accordance with the purpose established in each case.

Authorization is not necessary when dealing with:

  • Information required by a public or administrative entity in the exercise of its legal functions or by court order.
  • Data of a public nature.
  • Cases of medical or health emergency.
  • Information treatment authorized by law for historical, statistical or scientific purposes.
  • Data related to civil registration of persons.

5.4. Veracity: The information provided by the data subject must be truthful, complete, accurate, updated, verifiable and understandable. The data subject guarantees the authenticity of all data provided to the Company.

5.5. Rights of data subjects: Personal data subjects shall have the following rights and those granted by law:

  • Know, update and rectify their personal data before the controller or processors of the treatment. This right may be exercised, among others, regarding partial, inaccurate, incomplete, fragmented data that induces error, or those whose treatment is expressly prohibited or has not been authorized.
  • Request proof of authorization granted to the data controller except when expressly excepted as a requirement for treatment, in accordance with the provisions of section 5.3. of this policy.
  • Be informed by the data controller or processor, upon request, regarding the use given to their personal data.
  • File complaints with the Superintendency of Industry and Commerce for violations of the provisions of the law and other regulations that modify, add to or complement it.
  • Revoke authorization and request data deletion when the treatment does not respect constitutional and legal principles, rights and guarantees. Revocation and deletion shall proceed when the Superintendency of Industry and Commerce has determined that in the treatment the controller or processor have incurred in conduct contrary to law and the constitution.
  • Access their personal data that has been subject to treatment free of charge.

5.6. Access and circulation of information: In the treatment of information, the Company adheres to the limits derived from the nature of personal data, the provisions of the law and the constitution. In this sense, the Company shall only process data by persons authorized by the data subject and in cases provided by law.

Every process, controller and processor that by their functions has access to databases with personal information must comply with the provisions of the policy and procedure of this document.

5.7. Information security: The Company has the necessary technical, human and administrative measures to guarantee security to personal data obtained and stored in its databases and files, preventing their adulteration, loss, consultation, unauthorized or fraudulent use or access.

5.8. Confidentiality: The Company guarantees the confidentiality of information, even after completion of the work that comprises the treatment.

5.9. Sensitive data: The Company may only process sensitive data when:

  • The data subject has given explicit authorization for such treatment.
  • It is necessary to safeguard the vital interest of the data subject and they are physically or legally incapacitated. In these events, authorization from legal representatives is required.
  • It refers to data that is necessary for the recognition, exercise or defense of a right in judicial proceedings.
  • It has a historical, statistical or scientific purpose, provided that measures are adopted for the deletion of data subjects’ identity.

5.10. Special requirements for the treatment of personal data of children and adolescents: The treatment of personal data of children and adolescents is prohibited, except when dealing with data of a public nature, in accordance with the provisions of article 7 of law 1581 of 2012 and when such treatment complies with the following parameters and requirements:

  • That it responds to and respects the best interest of children and adolescents.
  • That respect for their fundamental rights is ensured.

Once the above requirements are met, the legal representative of the child or adolescent shall grant authorization after the minor exercises their right to be heard, an opinion that shall be valued taking into account maturity, autonomy and capacity to understand the matter.

Every controller and processor involved in the treatment of personal data of children and adolescents must ensure the adequate use thereof. For this purpose, the principles and obligations established in law 1581 of 2012, its Regulatory Decrees and other regulations that repeal, modify or complement them must be applied.

6. DUTIES OF THE DATA CONTROLLER

The Company as controller of personal data treatment shall comply with the following duties:

  • Guarantee at all times the full and effective exercise of the data subject’s rights.
  • Request and preserve, under the conditions provided by law, a copy of the respective authorization granted by the data subject.
  • Properly inform the data subject about the purpose of collection and the rights that assist them by virtue of the authorization granted.
  • Preserve information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
  • Guarantee that the information provided to the processor is truthful, complete, accurate, updated, verifiable and understandable.
  • Update information, timely communicating to the processor all developments regarding data previously provided and adopt other necessary measures so that the information provided remains updated.
  • Rectify information when incorrect and communicate what is pertinent to the processor.
  • Provide the processor, as applicable, only data whose treatment is previously authorized in accordance with the provisions of the law.
  • Require the processor at all times to respect the security and privacy conditions of the data subject’s information.
  • Process queries and claims filed within the terms indicated in law 1581 of 2012.
  • Adopt an internal manual of policies and procedures to guarantee adequate compliance with the law and especially for handling queries and claims.
  • Inform the processor when certain information is under discussion by the data subject, once the claim has been filed and the respective procedure has not been completed.
  • Inform upon request of the data subject about the use given to their data.
  • Inform the data protection authority when security code violations occur and there are risks in the administration of data subjects’ information.
  • Comply with instructions and requirements issued by the Superintendency of Industry and Commerce.

7. DUTIES OF DATA PROCESSORS

Data processors must comply with the following duties, without prejudice to other provisions set forth in the law and others governing their activity:

  • Guarantee at all times the full and effective exercise of the data subject’s rights.
  • Preserve information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
  • Timely perform the update, rectification or deletion of data within the terms of the law.
  • Update information reported by data controllers within five (5) business days from its receipt.
  • Process queries and claims filed by data subjects within the terms indicated in the law.
  • Adopt an internal manual of policies and procedures to guarantee adequate compliance with the law and, especially, for handling queries and claims by data subjects.
  • Record in the database the legend “claim in process” in the manner regulated by law.
  • Insert in the database the legend “information under judicial discussion” once notified by the competent authority about judicial processes related to the quality of personal data.
  • Refrain from circulating information that is being contested by the data subject and whose blocking has been ordered by the Superintendency of Industry and Commerce.
  • Allow access to information only to persons who may have access to it.
  • Inform the Superintendency of Industry and Commerce when security code violations occur and there are risks in the administration of data subjects’ information.
  • Comply with instructions and requirements issued by the Superintendency of Industry and Commerce.

8. PROCEDURE FOR HANDLING QUERIES, CLAIMS AND PETITIONS; AND MECHANISMS TO EXERCISE DATA SUBJECTS’ RIGHTS

The data subject, their successors in interest, their representative or attorney, or whoever is determined by stipulation in favor of another; may exercise their rights by contacting us through written communication addressed to the area in charge of personal data protection in the Company. Communication may be sent to the following email: info@andestours.com.co or through written communication filed at the address: Carrera 9 No. 74 – 08 Local 103 – Bogotá, Colombia.

8.1. Queries: Upon request from the data subject, the Company shall provide all information contained in its databases linked to the data subject’s identification.

The Company shall respond to the query within a maximum term of ten (10) business days from the date of receipt. If it is not possible to respond within this timeframe, it shall inform the interested party of the reasons for the delay and indicate the response date that cannot exceed five (5) additional business days following the first term.

8.2. Claims: When it is considered that information contained in a Company database should be subject to correction, update or deletion, or when the alleged non-compliance with any of the duties contained in the law is noticed, claims may be filed with the Company.

If the claim is incomplete, the interested party shall be required within five (5) days following receipt of the claim to make necessary corrections. If two (2) months pass from the date of the requirement without the applicant presenting the required information, it shall be understood that they have withdrawn the claim.

In case the Company receives a claim for which it is not competent to resolve, it shall transfer it to whoever effectively corresponds within a maximum term of two (2) business days and inform the data subject.

The maximum term to address the claim shall be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within said term, the Company shall inform the data subject of the reasons for the delay and the new date when their claim will be addressed, which may not exceed eight (8) business days following the expiration of the first term.

Minimum content of the request: Requests submitted by the data subject to make a query or claim about the use and handling of their personal data must contain minimum specifications to provide the data subject with a clear and coherent response to what was requested. The request requirements are:

  • Be addressed to the Company.
  • Contain the data subject’s identification (name and identification document).
  • Contain the description of facts that motivate the query or claim.
  • The object of the petition.
  • Indicate the data subject’s notification address, physical and electronic (email).
  • Attach documents to be considered (if applicable).

In the event that the query or claim is presented in person, the data subject must submit their request or claim in writing without any formality other than the requirements demanded above.

8.3. Procedural requirement: The data subject, their successors in interest, their representative and attorney, or whoever is determined by stipulation in favor of another; may only file a complaint with the Superintendency of Industry and Commerce for the exercise of their rights once they have exhausted the query or claim procedure directly with the Company.

8.4. Update and rectification petition: The Company shall rectify and update, upon request from the data subject, information that is inaccurate or incomplete, following the procedure and terms indicated above, for which the data subject must submit the request through the channels provided by the company, indicating the update and rectification of the data and must also provide documentation supporting such petition.

8.5. Revocation of authorization and data deletion: The data subject may revoke at any time the consent or authorization given for the treatment of their personal data, provided there is no impediment established in a legal or contractual provision.

Likewise, the data subject has the right to request at any time that the Company delete or eliminate their personal data when:

  • They consider that they are not being treated in accordance with the principles, duties and obligations provided in current regulations.
  • They are no longer necessary or relevant for the purpose for which they were obtained.
  • The necessary time for fulfilling the purposes for which they were obtained has been completed.

Such deletion implies the elimination either totally or partially of personal information, according to what is requested by the data subject in the records, files, databases or treatments carried out by the Company.

The right to cancellation is not absolute and therefore the Company may deny revocation of authorization or deletion of personal data in the following cases:

  • The data subject has a legal or contractual duty to remain in the database.
  • Data deletion obstructs judicial or administrative actions linked to fiscal obligations, investigation and prosecution of crimes or updating of administrative sanctions.
  • Data is necessary to protect the legally protected interests of the data subject; to perform an action based on public interest, or to comply with an obligation legally acquired by the data subject.

8.6. Transfer and transmission of information: The Company shall provide personal data subject to treatment to the following persons:

  • Data subject, their successors in interest or legal representatives.
  • Public or administrative entities in the exercise of their legal functions or by court order.
  • Third parties authorized by the data subject or by law.

The Company shall provide personal data to third parties provided they have authorization from the data subject for the purpose of responding to normal requirements of their activity. In this case, the third party, from the moment they receive the information, becomes processor of the same and must comply with legal obligations.

Every third party who, due to their relationship with the Company, is entrusted with the treatment of personal data must be asked for a contractual clause expressing knowledge of the law and responsibility in complying with it, and likewise, shall require prior authorization from the data subject to treat their personal data.

8.7. International transfers: The Company transfers personal data to third countries provided they provide adequate levels of data protection in accordance with standards set by the Superintendency of Industry and Commerce on the matter and when:

  • The data subject grants their express and unequivocal authorization for the transfer.
  • Data exchange is required for reasons of public health or hygiene.
  • It involves banking or stock exchange transfers.
  • It involves transfers agreed within the framework of international treaties in which the Republic of Colombia is a party.
  • It is necessary for the execution of a contract between the data subject and the data controller or for the execution of pre-contractual measures.
  • It is legally required for safeguarding public interest or for judicial purposes.

9. EXCEPTIONS

This policy does not apply to databases and files that:

  • Have the purpose of national security and defense, as well as prevention, detection, monitoring and control of money laundering and terrorism financing.
  • Have the purpose and contain intelligence and counterintelligence information.
  • Have the purpose of journalistic information and other editorial content.

10. VALIDITY

This policy and procedure comes into effect from June 10, 2025 and until the issuance of others or substantial change thereof, the Company reserves the right to modify them, within the terms and limitations provided by law.

Databases administered by the Company shall be maintained indefinitely, while developing its purpose and while necessary to ensure compliance with legal obligations, particularly administrative, commercial, accounting and security obligations, but data may be deleted at any time upon request from the data subject, provided this request does not go against a legal obligation, or an obligation contained in a contract between the Company and the data subject.

11. POLICY VERSIONS

First version: November 17, 2016
Second version: June 10, 2025

COLETTE DENISE ALBRECHT GAVIRIA
ID: 51.719.147 de Bogotá
Legal Representative

WhatsApp