Personal Data
Processing Policy

PERSONAL DATA PROCESSING POLICY OF LEYVA ABOGADOS S.A.S. B.I.C.

Leyva Abogados S.A.S. (hereinafter “Leyva Abogados” or “The Firm”), by virtue of its Responsibility for the Processing of Personal Data under the terms of Article 3 of Law 1581 of 2012 and its commitment to fulfilling its duty to guarantee the protection of the personal information of its clients, suppliers, shareholders, creditors, borrowers, employees, relatives thereof and third parties in general (hereinafter the “Information Owners”, “Personal Data Owners”, “Owners” or the “Owner”), issues and publishes this Personal Data Processing Policy (hereinafter the “Policy”) to regulate the collection, storage, use, dissemination, deletion, and in general, the processing of personal data that has been collected by Leyva Abogados in the course of its business-related activities since its incorporation. All of the above, under the current legal framework thereon established in (i) Article 15 of the Political Constitution, (ii) Law 1581 of 2012, (iii) Single Regulatory Decree 1074 of 2015, and (iv) Title V of the Single Circular of the Superintendence of Industry and Commerce and other norms that regulate, repeal, collect or modify these. Accordingly, this Policy will cover the following:

1. Contact and information of the party responsible for the processing of personal data

2. Processing of the personal data

3. Purpose of the processing of personal data

4. Rights of the personal data Owners

5. Area responsible for handling requests, inquiries and complaints

6. Procedure for data Owners to exercise their rights

7. Modifications

8. Policy validity

I. CONTACT AND INFORMATION OF THE PARTY RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

Business or Personal Name: Leyva Abogados S.A.S. B.I.C.
Address: Bogotá D.C.
Address: Carrera 9 No. 74-08 Office 201 Email: administracion@leyvaabogados.com Telephone: + (571) 7429660

II. PROCESSING OF THE PERSONAL DATA

Leyva Abogados, in fulfilling its corporate purpose, needs to establish relationships with its clients, suppliers, shareholders, creditors, borrowers, employees, relatives thereof and third parties in general, wherefore it collects, stores, uses, disseminates internally and deletes the personal data of said individuals. The processing of personal data by Leyva Abogados is exercised consistent with the purpose(s) that justify each type of processing, according to the classification included in numeral 3 of this Policy.

Accordingly, Leyva Abogados declares that:

a) For the processing of personal data, Leyva Abogados will always require the Owner to have provided prior and informed authorization, which will be obtained through (i) the services proposals it presents to its clients, or (ii) any virtual or printed means that may serve as proof of said authorization.

b) The personal data requested from the Owners to carry out the corporate purpose of Leyva Abogados, include, but are not limited to, the following:

• Name and surname
• Colombian citizenship ID or TIN
• Email
• Address and domicile
• Phone number
• Cellphone number
• Fax number
• Party providing referral (in the case of clients or suppliers)
• Date of birth
• Bank account
• Vaccination status

c) Leyva Abogados, owing to its corporate purpose to provide legal advisory services, occasionally requests sensitive data from its clients, and does so only when the processing thereof is necessary for the recognition, exercise or defense of a right in a legal process. In such cases, The Firm will strictly adhere to the requirements established in Article 6 of Decree 1377 of 2013 compiled in article 2.2.2.25.2.3 of Sole Regulatory Decree 1074 of 2015.

d) Leyva Abogados, owing to its corporate purpose, requests sensitive data from its employees and does so only through pre-employment medical tests. In such cases, The Firm strictly adheres to the requirements established in Article 6 of Decree 1377 of 2013 compiled in article 2.2.2.25.2.3 of Sole Regulatory Decree 1074 of 2015.

e) The information that is collected by Leyva Abogados is used exclusively within the framework of the legal advisory economic activity.

f) Personal data will only be collected, stored and used for as long as is reasonable and necessary for the purpose(s) that justify its processing. Once the purpose(s) have been completed, The Firm will proceed to delete the personal data in its possession. Notwithstanding the foregoing, personal data must be kept when required to comply with a legal or contractual obligation.

g) The processing to which the personal data is submitted is governed by the principles of purpose, freedom, accuracy or quality, security, the principle of limited access and dissemination, and confidentiality, which are described below:

• Purpose principle. The personal data collected by The Firm by any means, whether verbal, oral or written, must comply with one of the legitimate purposes allowed by the Law and described in this Policy. The purposes will be informed to the Owner at the time of collecting the information.

• Freedom principle. The processing of personal data can only be exercised with the prior, express and informed consent of the Owner. The Firm may not obtain or disclose personal data of its Owners without their authorization or in the absence of a legal mandate that releases them from said consent.

• Accuracy or quality principle. The information subject to processing by the Firm must be truthful, complete, accurate, updated, verifiable and understandable. The Firm does not Process partial, incomplete, fragmented or misleading data.

• Limited access and dissemination principle. The processing of personal data is subject to the limits resulting from its nature, and the legal and constitutional provisions that protect them.

The processing can only be exercised by the persons authorized by the Owner and/or by the persons specified in Law 1581 of 2012.

Personal data, except in the case of public information, will not be published on the Internet or by other means of disclosure or mass communication, unless access is controllable to provide limited accessibility thereof only to the Owners or authorized third parties following the Law.

• Security principle. The information subject to processing by the Firm, whether done internally or through a responsible party under the terms of Article 3 of Law 1581 of 2012, is handled with the necessary technical, human and administrative measures to guarantee the security of the records, avoiding their alteration, loss, referencing, use or unauthorized or fraudulent access.

Leyva Abogados will make every reasonable effort to comply with its legal obligations and safeguard the personal data with the highest degree of security available.

• Confidentiality principle. All persons hired by The Firm, as employees thereof are obliged to guarantee the confidentiality of personal data. For this purpose, Leyva Abogados will endeavor to implement security policies that limit access, use and unauthorized disclosure of personal data in every possible way, and include confidentiality clauses in contracts that guarantee the confidentiality of information, which will be valid even after any of the tasks included in the processing have ended.

III. PURPOSE OF THE PROCESSING OF PERSONAL DATA

The purposes of the processing of personal data carried out by Leyva Abogados are the following:
• The execution of contractual relations subscribed with suppliers, clients, employees, service providers or others.
• The provision of advisory services and legal representation.
• The planning of pre-contractual meetings, the preparation and conveyance of service proposals to potential or existing clients.
• Offers of new legal services not included in the proposals accepted by clients.
• The provision of information to clients or interested parties related to legal and/or regulatory updates.
• Future contact with potential clients contacted at business events or comparable.
• Communications on matters for which The Firm is responsible related to the legal procedures commissioned by the clients.
• Communications whose purpose is to strengthen relationships with its clients.
• The exercise of customer service and marketing tasks.
• Invites to events that may be of interest to the Owners, organized, sponsored, or known to Leyva Abogados.
• The distribution of updated information related to The Firm.
• The execution of contractual relationships of any kind.
• Corroboration of balances, data or any information with creditors.
• The collection, updating or sending of invoices related to the obligations of its borrowers.
• Preparation of service records provided by suppliers and service providers.
• Registry of information related to the hiring of employees and contractors who provide services to Leyva Abogados or their families, which in no case will include sensitive data related to racial or ethnic origin, political orientation, religious convictions, and sexual orientation, among others. .
• The execution and liquidation of terminated, current or future employment contracts.
• The conservation of personnel files with resumes for future positions and the completion of personnel selection processes.
• The conveyance of information related to the rights and duties of the shareholders of Leyva Abogados.
• Addressing legal or administrative requirements and compliance with judicial and/or legal orders.
• To contact natural persons with whom Leyva Abogados has or had a relationship, such as employees and their families, shareholders, clients, suppliers, creditors and borrowers, following the purposes established in this document.

IV. RIGHTS OF THE PERSONAL DATA OWNERS

The Owners of the personal data will have the rights recognized in Article 15 of the Political Constitution and Article 8 of Law 1581 of 2012, which they may exercise directly or through their legitimate representatives, per Article 20 of the Regulatory Decree 1377 of 2013 compiled in article 2.2.2.25.4.1 of the Single Regulatory Decree 1074 of 2015.

For this purpose, the rights of the Owners are the following:

• Know, update and rectify their personal data with those responsible for its processing. This right may be exercised, among others, regarding partial, inaccurate, incomplete, fragmented, and misleading data, or that whose processing is expressly prohibited or has not been authorized.
• Request proof of the authorization granted to those responsible for its processing except when expressly exempted thereof as a requirement for its processing, under the provisions of Article 10 of Law 1581 of 2012.
• Be notified by those responsible for its processing, upon request, regarding the use given to their personal data.
• Submit complaints to the Superintendence of Industry and Commerce for violations of the provisions of this law and the other regulations that modify, add or complement it.
• Revoke the authorization and/or request the deletion of the data when the principles, rights and constitutional and legal guarantees are not respected in the processing. The revocation and/or deletion will take place when the Superintendence of Industry and Commerce has established that the behavior of those responsible for the processing is contrary to the Law and the Constitution.
• Can freely access their processed personal data.

V. AREA RESPONSIBLE FOR HANDLING REQUESTS, INQUIRIES AND COMPLAINTS

The area responsible for handling requests, inquiries and complaints or any requirement related to the rights of the Owners includes one (1) administrative member and one (1) attorney.

The titleholder(s) may submit their requirements from Monday to Friday between 8:00 am and 5:00 pm to the email administracion@leyvaabogados.com, or via phone + (57 1) 7429660, or send them to the address Carrera 9 No. 74-08 Office 201, in the city of Bogotá DC

VI. PROCEDURE FOR DATA OWNERS TO EXERCISE THEIR RIGHTS

To guarantee the rights of the Owners of the personal data, Leyva Abogados has established the following procedures:

7.1. Inquiries:

The Owner or their assignees may submit inquiries to the respective area in Leyva Abogados to know, update or rectify their personal data, request proof of the authorization granted by the titleholder, or consult the processing thereof.

In this respect, the Owner or their assignees must submit written communication, either physically or electronically, addressed to the data protection administrator, which must identify them fully to prove their identity as Owner or authorized representative to prevent unauthorized third parties from accessing the information.

The inquiry will be addressed within a maximum of ten (10) business days from the date it is received. If it is not possible to answer the inquiry within said term, the interested party will be informed of the reasons for the delay and the date answer will be provided, which in no case may exceed five (5) business days following the due date of the first period.

7.2. Complaints:

The Owner or their assignees may request that Leyva Abogados (i) delete their personal data, (ii) revoke their authorization for the processing thereof, or (iii) submit a complaint regarding any alleged breach of the duties of Leyva Abogados included within the regulatory framework for the processing of Personal Data.

7.2.1 Procedure:

7.2.1.1 The complaint must be submitted to the responsible area and contain (i) the description of the facts that give rise to the claim, (ii) the notification address, and (iii) the documents that support said complaint.

7.2.1.2 If the complaint is incomplete, the responsible area will require the interested party to correct the faults within five (5) days after receipt thereof. If two (2) months have elapsed from the date of said request without the applicant providing the required information, it will be understood the complaint has been withdrawn.

7.2.1.3 If the person who receives the complaint at The Firm is not competent to resolve it, it will be transferred to the area in charge within a maximum of two (2) business days from the receipt thereof, and the interested party will be informed of the situation.

7.2.1.4 Once the complete complaint is received, a notice will be posted within two (2) business days in the database that states “in process” and the reason thereof. Said notice must be posted until the issue has been resolved.

7.2.1.5 The maximum term to respond to the complaint will be fifteen (15) business days from the day after its receipt.

7.2.1.6 If it is not possible to respond to the complaint within said term, the interested party will be informed of the reasons for the delay and the date on which their complaint will be answered, which in no case may exceed eight (8) business days following the expiration of the first period.

VII. MODIFICATIONS TO THE DATA PROCESSING POLICY

If Leyva Abogados, in the course of complying with its Comprehensive Program for the processing of Personal Data, were to substantially modify this Policy in such a way that it affects the content and the consent of the authorization granted by the Owners, it will inform them before the adoption of the new Policy or, at the latest, at the time of its implementation.

Additionally, Leyva Abogados will obtain a new authorization when the change alters in any way the purpose of the processing. Accordingly, modifications to this Policy will be published in this section of the Leyva Abogados website so that they can be easily consulted.

Leyva Abogados may notify the registered email of each client, worker, supplier, and, in general, any Owner, that there has been a change in the Policy. However, notification via email is optional and it will be understood that Leyva Abogados complies with its notification obligation by publishing the changes in this section of the website indicating the date of the last change.

VIII. POLICY VALIDITY

The Personal Data processing Policy has been in force since January 2, 2018. However, it is hereby notified that the Policy has been fully modified and its modifications are effective as of May 9, 2022.