INTRODUCTION

The CONFIPETROL 1 Group (hereinafter, THE COMPANY), is aware of the correct use and processing of personal data and information obtained or transferred by its stakeholders (customers, suppliers, employees, candidates, associates, board of directors or management, communities, visitors, and/or any related third party), hereinafter STAKEHOLDERS, or because of their relationship with THE COMPANY.
In line with the above, we have a commitment to respect, guarantee and protect the privacy and confidentiality of the private information and personal data of our STAKEHOLDERS, guaranteeing the respective and correct use and processing thereof.

AIM AND PURPOSE

The purpose of this Personal Data Protection and Processing Policy (hereinafter, THE POLICY) of THE COMPANY is to adopt and define the guidelines applicable to the processing of personal data of its STAKEHOLDERS, ensuring their confidentiality and protection. The aim of this policy is to inform our STAKEHOLDERS about the way in which their personal data and information is collected, processed and protected, and to inform them of their rights, as well as the duties of the COMPANY in this matter.
THE POLICY shall establish the guidelines and directives of the internal procedures 2 corresponding to each country 3 in which THE COMPANY operates and develops its business, thus complying with the provisions of the applicable law in force in each of such countries. Notwithstanding the foregoing, all employees and/or members of the STAKEHOLDERS that in the exercise of their duties must handle personal information of THE COMPANY and of the STAKEHOLDERS shall abide by the POLICY and procedures of each country, as applicable. It is worth noting that private personal information does not include information available from public sources.

1 For the purposes of this POLICY, CONFIPETROL Group; is considered to be the group of companies in which CONFIPETROL S.A.S. (Colombia) operates directly or indirectly at international level, either through consortiums, consortium companies, affiliates, subsidiaries, branches, or any company or entity where it has participation now or in the future; being considered at the date of issuance of this POLICY the countries of Peru (Confipetrol Andina S. A.), Chile (Confipetrol Chile S.p.A.), Argentina (Confipetrol S.A.S. Sucursal Argentina), and Bolivia (Confipetrol S.A.S. Sucursal Bolivia)).
2 The term Procedure refers to the instructive document that defines the specific guidelines for the development of the activity or process, describing the objective, scope, terminology, responsibilities, etc., applicable to the Policy or different processes subject to compliance.
3 As of the date of issuance of this Policy, THE COMPANY operates and conducts its business in Colombia, Peru, Bolivia, Chile, and Argentina.

SCOPE

THE POLICY is directed to the STAKEHOLDERS, who must comply with all the terms, procedures and guidelines established by law and all current and applicable legal regulations regarding the protection of personal data and habeas data rights in the countries where CONFIPETROL operates and conducts business.
THE POLICY shall apply to all those processes that involve personal data information of the STAKEHOLDERS, which make them susceptible to processing, and to any form of subsequent use of this data and shall be mandatory and strictly complied with.

LEGAL SCOPE

THE POLICY is governed by the legislation applicable and in force in each country in which THE COMPANY operates and conducts its business activities.

DEFINITION OF CONCEPTS AND TERMINOLOGY

For understanding, interpreting and applying THE POLICY, the following definitions are established, in general terms, applicable in the countries in which THE COMPANY operates and conducts its business, in accordance with applicable and current law:
➢ Authorization: The prior, express, and informed consent given by the subject of any personal data for the company to carry out the processing of his/her personal data.
➢ Data Base: Organized collection of personal and/or business data, whether automated or not, regardless of the format, whether physical, magnetic, digital, optical or other that may be created, whatever the form or modality of its creation, generation, storage, organization and access, which is object of processing.
➢ Personal data: Any information linked or linkable to a particular or determinable natural person or persons by means that can be reasonably utilized.
➢ Sensitive data: those that affect the privacy of the Subject of personal data or whose improper use can generate discrimination, such as, physical or moral characteristics of persons or facts or circumstances of their private life or intimacy, such as personal habits, racial origin, ideologies and political opinions, religious beliefs or convictions, physical or psychological health conditions and sexual life.
➢ Business data: Any information linked to a legal entity, company name, corporate name and/or organization.
➢ Suppression (deletion or cancellation of data): The destruction of data stored in registers or databases, whatever the procedure used for this purpose, in those cases in which it is appropriate.
➢ Data processor or data base manager: Natural person or legal entity, public or private, that by itself or acting jointly with others, carries out the processing of data and information on behalf of the data controller or database owner (personal or business).
➢ Cross-border data flow: International transfer of personal or business data to a recipient located in a country other than the country of origin of the personal or business data, regardless of the medium on which the data is held, how the transfer was affected or the processing of the data.
➢ Modification of data: any change in the content of data stored in registers or databases.

➢ Dissociated data (anonymized): Data that does not allow direct or indirect identification of its subject.
➢ Personal data subject: Natural person whose personal data and/or information is the subject of processing.
➢ Business data subject: Natural person or legal entity, owner of the business data and/or information to be processed.
➢ Data Controller or Database Subject: Natural person or legal entity, public or private, that determines the purpose and content of the database, its processing and security measures.
➢ Data transfer: sending, supplying, or disclosing personal and/or business data, of a national or international nature, to a natural or legal person, or to a public entity, other than the subject of the personal and/or business data.
➢ Data processing: Any operation or set of operations involving personal and/or business data, whether automated or not, such as collection, recording, organization, storage, preservation, processing, modification, extraction, transfer, dissemination, consultation, use, circulation, blocking, deletion, communication and/or any other form of processing that facilitates access to the data.

The aforementioned terms and definitions, as well as any other additional terms and definitions, shall be specified and expanded in the corresponding Procedures applicable to each country in which THE COMPANY operates and conducts business.

PURPOSE OF DATA COLLECTION

THE COMPANY will use the data collected or to which it has access, for the execution and development of its corporate purpose, for lawful purposes, in accordance with the provisions of the Constitution and applicable laws, which are communicated with consent, in a free, prior, clear, express, voluntary, and informed manner, establishing the treatment and purpose to which such data will be subjected. The aforementioned communication will be made to the STAKEHOLDERS through the means defined by THE COMPANY. The data are managed and stored in databases and/or information systems of THE COMPANY, in accordance with the purpose for which they were collected, with the purpose of their processing in accordance with the applicable legal provisions in force and the administrative, accounting, tax, legal, historical and conservation aspects of the information.

RIGHTS OF THE PERSONAL AND/OR CORPORATE DATA SUBJECTS

The owners of the personal and/or business data contained in the databases, files, information systems or similar of THE COMPANY, have the right, in accordance with the applicable legislation and legal requirements in force, to:
a) Receive the request for authorization and/or consent for the processing of their data, subject
to the exceptions provided for in the legislation in force applicable to each country.
b) Issue the authorization and/or consent for the processing of their personal and/or business data.
c) Submit requests, inquiries, petitions, complaints, or claims related to the processing of their data to the COMPANY.

d) Submit requests for access, updating, inclusion, rectification, cancellation, opposition 4 and/or suppression of their personal and/or business data, as well as the information contained in databases, files, information systems and similar, about which they are holders; except when there is a legal or contractual obligation that prevents it.
e) Request from THE COMPANY proof of the authorization granted for the processing of their personal and/or business data.
f) Obtain from THE COMPANY, response to inquiries, requests, complaints, claims, requests for rectification, updating, access, deletion, cancellation, opposition, or revocation of their personal data and / or business data recorded through the means established by THE COMPANY, so that it is easy to read and without technical barriers that impede their understanding. For this purpose, the holder may authorize his legal representative or his assignees as appropriate.
g) Be informed by the data controller or by the database subject, upon request, regarding the use that will be given or has been given to their personal data and/or business data, and other requirements for each country.
h) File before the competent authority 5 complaints for infringements to the provisions of the applicable legislation in force regarding personal and/or business data. The Procedures applicable to each country in which THE COMPANY operates and conducts business shall establish the specific rights applicable to the subjects of personal and/or business data.
In general, the holders of the data may request access, updating, inclusion, rectification, cancellation, opposition and/or deletion of the same, once the purpose for which THE COMPANY requested their data has been fulfilled or when the term foreseen for its use has elapsed, provided that the time frame is explicitly defined. However, the data will be retained by THE COMPANY, when so required, in compliance with a legal or contractual obligation.

COMPANY OBLIGATIONS WITH REGARD TO THE PROCESSING OF PERSONAL AND/OR BUSINESS DATA

THE COMPANY has the following obligations in the execution of THE POLICY, in accordance with current legislation and legal requirements:
a) Ensure the protection of personal and/or business data.
b) Adopt measures and procedures within THE COMPANY so that its employees respect the processing of the data of the subjects who have so authorized and/or consented.
c) Inform the subject of the personal and/or business data regarding the purpose of the storage
of their personal and/or business data and its possible communication to the public.
d) Request from the subject of the personal and/or business data, authorizations for its processing, except for exceptions provided for in the legislation in force applicable to each country.
4 Right allowing the data subject to object to the processing of his/her data, on legitimate and well-founded grounds, unless otherwise provided by law.
5 Competent Authority is understood to be the government holder or authority that has the necessary competence for a specific public legal action, which generally involves the exercise of power. For the purposes of THE POLICY, the competent authority shall be the governmental entity of the country in which THE COMPANY operates and conducts its business.

e) Maintain the authorization and/or consent for data processing issued by the subject and/or have it available to be consulted at a later date.
f) Obtain authorization and consent from the subject of the data, when it is required to provide it to a third party, to be in charge of the processing of personal and/or business data subject to processing.
g) Adopt the necessary security measures to prevent alteration, loss, consultation, use or unauthorized or fraudulent access to personal and/or business data.
h) Regulate if required, in contracts with third parties, access to databases, files, information systems and similar containing personal and/or business data.
i) At the time of data collection, inform the subject of the data, the purpose for which the information is collected as well as its processing.
j) Collect updated, necessary, relevant and adequate data, in relation to specific, explicit and lawful purposes for which they have been obtained.
k) Answer the queries and requests referred by the subject of the data.
l) Provide the competent authority with information on the processing and access to the database managed.
m) Comply with the instructions and requirements given by the competent authority. Inform the competent authority when there are violations to the security codes and there are risks in the administration of the information of the subjects.
n) Not to use the data for purposes other than those for which they were collected, unless there is a dissociation procedure or request for a new authorization, as applicable to each country.
o) Refrain from circulating information whose blocking has been ordered by the competent authority.
p) Inform the subjects when there are substantial changes in THE POLICY and obtain from the subjects a new authorization when the changes are associated with the purpose of the data processing.
q) Delete the data when they are no longer necessary for their purpose or when the term for their processing has expired, as applicable to each country.

The Procedures applicable to each country in which THE COMPANY operates and conducts its business shall establish the specific obligations corresponding to THE COMPANY. The processing of personal data by outsourced technological means, whether complete or partial, may be contracted as long as compliance with the applicable legislation in force in each country is guaranteed. Technological means, including services, applications, infrastructure, among others, refers to those in which the processing is automatic, without human intervention.

PERSONAL DATA OF CHILDREN AND/OR MINORS

In principle, THE COMPANY will not require personal data of children or minors for the development of its processes. Such data will be required when the law or any social and/or welfare program in favor of the
STAKEHOLDERS or at the request of THE COMPANY is necessary; for which, prior collection and/or obtaining and/or consent of the personal data of children and/or minors, THE COMPANY will inform the subject and/or holder of parental authority and/or legal guardian thereof (who will exercise the powers of sufficient representation and/or sufficient capacity to exercise), regarding the optional nature in its delivery, as well as the use and processing thereof. In this regard, THE COMPANY will ensure a special processing of the information and/or personal data of children and/or minors, in order to ensure and protect their fundamental rights, except for those data that are of a public nature.

TRANSFER OF PERSONAL AND/OR BUSINESS DATA

The transfer to third parties of personal and/or business data, of any kind, without the authorization of the holders thereof is forbidden; unless such transfer is made to the holders themselves, assignees or legal representatives authorized for such purpose, or is made at the request of third parties authorized by the applicable legislation in force or by the competent Authorities, in the exercise of their legal functions or by court order, as well as in the other cases established by the applicable legislation in force for such purpose. In addition, those in charge of each database must ensure that any transfer of data has the consent of the data subject, unless otherwise provided for in the applicable legislation in force.

DATABASE

The data provided by our STAKEHOLDERS will be stored in the databases owned by THE COMPANY and will be processed in accordance with the provisions of the applicable legislation in force, in order to perform the purposes set out above.
The procedures applicable to each country in which THE COMPANY operates and conducts business, as applicable, shall establish the registration of the databases maintained to date with the competent authority, which shall be updated as modifications are made thereto. The data provided by our STAKEHOLDERS to THE COMPANY may only be known and processed by COMPANY personnel who need to know such information. These data will be treated in a loyal and lawful manner, not being used for other purposes incompatible with those specified.

MANAGEMENT AND PROCESSING OF DATABASES

The creation, access, updating, rectification, cancellation, opposition or suppression of the databases must consider:
a) The implementation of procedures for the creation, access, updating, rectification, cancellation, opposition, elimination, suppression and transfer of databases.
b) The prior implementation of the security measures necessary for compliance with THE POLICY, the Law and its complementary regulations in force and applicable. The collection of data and consent of the owner of such data must consider:
a) The COMPANY prohibition against the collection of data by fraudulent, unfair or unlawful means.
b) The prohibition of THE COMPANY with respect to the purchase of customer and/or supplier databases.
c) Prior to any processing of personal data, the person in charge of each database is responsible for ensuring that the consent of the subject of the personal and/or business data is obtained.
d) Prior to the collection of data, the consent of the subject must be obtained, which must be informed, free, prior, express, voluntary and unequivocal.
e) Such consent may be obtained verbally or in writing, as appropriate.
f) The collection of data must be necessary and lawful in relation to the purposes determined. Likewise, the quality of the data contained in the data bank must be guaranteed, and the necessary security measures must be applied to help prevent the adulteration, loss and detour of the data.

g) In case it is necessary to process the data of a minor, the consent of the minor parents or guardians, as appropriate, will be required, with the exceptions provided for in the applicable legislation in force.
h) Consent will not be required when the personal data is of a personal nature:
▪ When it concerns personal data contained or intended to be contained in publicly accessible sources.
▪ When there are exceptions established by the applicable legislation in force and its complementary rules.

i) When using the digital environment, consent shall be considered to have been properly granted when click, pinch, tap, touch, pad, or other similar means are positively provided, when a member of the STAKEHOLDER GROUP is asked for his/her acceptance of these terms applicable to the processing of his/her data.
j) In the event of obtaining data without the prior consent of the data owner and there is no exception for the request, measures must be implemented to obtain the consent to process the data.
Any third party with whom THE COMPANY shares data information must consider and comply, as part of the current service, with the requirements of the applicable legislation in force, which must be formalized by means of a contract signed by both Parties.

CROSS-BORDER DATA FLOW

The Procedures applicable to each country in which THE COMPANY operates and conducts its business shall establish the applicable guidelines regarding the cross-border flow of data subject to processing and/or consent.

CONFIDENTIALITY OF DATA

The data provided by the STAKEHOLDERS will be processed with total confidentiality. THE COMPANY is committed to maintain professional secrecy indefinitely with respect to these and guarantees the duty to keep them by adopting all necessary security measures.

DATA SECURITY

In compliance with current applicable legislation, THE COMPANY has adopted the technical security measures appropriate to the category of data necessary to maintain the required level of security, in order to prevent alteration, loss or unauthorized access or processing that may affect the integrity, confidentiality and availability of the information.
The COMPANY has implemented all legal, technical and organizational measures necessary to ensure the security of personal data and prevent its alteration, loss and treatment and/or unauthorized access, taking into account the state of technology, the nature of the data stored and the risks to which they are exposed, whether from human action, the physical or natural environment, as established by current legislation. Notwithstanding the above, all information provided by our STAKEHOLDERS will be sent at their town risk. THE COMPANY recommends the utmost diligence to our STAKEHOLDERS when transferring to third parties or publishing personal information to avoid putting their data at risk, exonerating THE COMPANY from any liability in case of theft, modification, or loss of illicit data.

GUIDELINES FOR THE CONSULTATION, CREATION, ACCESS, RECTIFICATION, UPDATING, CANCELLATION, OPPOSITION, ELIMINATION, TRANSFER, SUPPRESSION AND/OR REVOCATION OF THE AUTHORIZATION AND/OR CONSENT OF THE DATA SUBJECTS

In accordance with the applicable legislation in force, data subjects have the right to access their data and the details of the processing thereof, as well as to consult them periodically, request their rectification and updating in case they present changes and/or are inaccurate, as well as to request their exclusion, opposition, cancellation, revocation and deletion when deemed appropriate, provided that the request does not violate legal or contractual obligations that the COMPANY has agreed with the subject of the data.
The Procedures applicable to each country in which THE COMPANY operates and conducts its business shall establish the applicable guidelines and mechanisms for the management of the aforementioned requests from the subjects of personal and/or business data. It is worth noting that THE COMPANY will record the date of receipt of the request in order to continue the process. Submission of requests
The subject of the information may consult their data free of charge whenever required. To know the personal data that are being processed by THE COMPANY, the subject may submit this, or any other request related to their data, through the channels indicated in the respective Procedures, indicating the information they wish to consult or know.
The data subject or his/her legal representatives who consider that the information contained in a database of THE COMPANY should be accessed, rectified, updated, suppressed, canceled, deleted, opposed and/or revoked, when noticing an alleged breach of any of the requirements contained in the applicable legislation in force governing THE COMPANY, may submit a claim and/or request to be received, reviewed and managed by THE COMPANY. To this end, THE COMPANY shall take into account that the aforementioned rights referred to the authorization and/or consent granted, may only be exercised by the subjects or their legal representatives, upon proof of representation. The aforementioned request must be submitted through the means provided by THE COMPANY and must contain at least the following information:

a) The name, address and/or e-mail address of the holder or any other means to receive the response.
b) The documents proving the identity or authority of his representative and his capacity as representative.
c) The clear and precise description of the data with respect to which the applicant seeks to exercise some of the rights.
d) Physical or electronic address, where the corresponding notifications will be received.
e) Date and signature of the applicant.
f) Other elements or documents that facilitate the location of the data.
g) Any other information that the applicant considers relevant for the understanding and/or management of the request. Once the consultation or complaint procedure before the COMPANY has been exhausted, the holder or his legal representative may submit his complaint to the competent authority. Response times and management
The Procedures applicable to each country in which THE COMPANY operates and conducts its business shall establish the applicable response times and management for the handling of the aforementioned requests from personal and/or business data subjects.

AREA RESPONSIBLE FOR THE SERVICE AND PROCESSING OF REQUESTS FOR CONSULTATIONS AND CLAIMS

The Procedures applicable to each country in which THE COMPANY operates and conducts its business shall establish the area responsible for handling requests for consultation and complaints regarding the rights of data subjects. In the event of any non-compliance with the guidelines described in THE POLICY, whoever detects it must report it to the following e-mail address: habeasdata@confipetrol.com
 

DATA OF DATA PROCESSOR

The Procedures applicable to each country in which THE COMPANY operates and conducts its business shall establish the data processor with respect to personal data.

APPLICABLE FOR COLOMBIA

The responsible for the processing of requests, queries and claims where the subject may exercise his rights to know, update, rectify and delete the data and revoke the authorization, is:
a) Responsible for personal data: Confipetrol S.A.S.
b) Process: Compliance - Personal Data Processing Officer is in charge of the Personal Data protection function.
c) Address and telephone: Carrera 15 # 98 -26 and telephone 4232949 in Bogota - Colombia.
d) E-mail address: habeasdata@confipetrol.com

POLICY UPDATE

THE COMPANY commits and guarantees that THE POLICY will be kept up to date, according to the development and operation of THE COMPANY business. The periodicity for its review, update or approval shall be on an annual basis, or when significant changes occur in internal procedures or in the applicable legislation in force.
Each update of THE POLICY shall be accompanied by the respective notification and training of those obliged to comply with it and to know it.

POLICY EFFECTIVE DATE AND DATABASE VALIDITY PERIOD

THE POLICY shall become effective as of its publication. The validity of the databases will be the reasonable and necessary time to fulfill the purposes of the Processing.

EXCEPTIONS AND PENALTIES

Consideration must be given to:
a) Any exception to compliance with THE POLICY must be notified to the person appointed in the Procedure applicable to each country in which THE COMPANY operates and conducts business, for registration and evaluation.
b) Failure to comply with THE POLICY will be considered a serious offense and will be sanctioned as such, according to the internal work regulations applicable to THE COMPANY.

Note: THE POLICY must be read in conjunction with the applicable procedure for the processing of personal data in each country.

Oscar Jeovanny Fernandez Moreno

OSCAR JEOVANNY FERNANDEZ MORENO.
President and Legal Representative