GENERAL CONSIDERATIONS

Article 15 of the Constitution of the Republic of Colombia establishes the right of any person to know, update and rectify the personal data that exists about him/her in data banks or files of public or private entities. Likewise, it orders those who have personal data of third parties to respect the rights and guarantees provided in the Constitution when such information is collected, processed and circulated.

The purpose of this manual is to comply with the legal, constitutional and jurisprudential provisions concerning the development of the constitutional right of all persons to know, update and rectify the information that has been collected about them in databases or files related to article 15 of the Constitution, as well as the right to information enshrined in article 20 of the Constitution.

In general terms, this manual establishes the policies and procedures through which the owner of the personal data can enforce their rights related to the processing of their data and in turn, the treatment that the controller must give to the data of third parties, as well as the mechanisms to urge compliance with the duties of the controller. Likewise, some definitions are given regarding terms necessary for the correct application of the aforementioned policies, together with the principles on which the collection and processing of personal data is based.

ARTICLE 1. – PURPOSE, SCOPE OF APPLICATION AND REACH

GRUPO ESTETICO CB S.A.S with NIT 901321576-8 , with main address at Cra 43 A # 19 17,

Medellín, Antioquia, Colombia, in order to respect the privacy and intimacy of the holders of personal data stored in its databases and files, as well as to regulate and comply with the policies and procedures that will be applicable in the handling of personal data information by GRUPO ESTETICO CB S.A. S according to the provisions contained in Law 1581 of 2012 and Decree 1377 of 2013, in its capacity as responsible for the treatment is allowed to inform its customers, suppliers and / or contractors, workers, candidates for vacancies, shareholders and in general to anyone who holds the quality of holder of personal data, that through its prior, express and informed authorization their data will be collected to be subject to treatment, among which are: the use, circulation and storage; according to the purposes outlined in this document.

In compliance with the provisions of Article 15 of the Constitution, Law 1581 of 2012 and its regulatory decrees, inform in general to all natural persons who provide or have provided their personal data the contents of this POLICY OF PERSONAL DATA PROCESSING, which is mandatory for all persons listed above and who are part of GRUPO ESTETICO CB S.A.S. in all its locations.

SCOPE

This manual is applicable to the personal data of natural persons registered in the databases related to Employees, Board members, Suppliers, Customers, current beneficiaries, beneficiaries of previous years, natural persons who have applied to any of our programs, which are susceptible to treatment. It shall apply to the personal data that are subject to collection and handling by GRUPO ESTETICO CB S.A.S.

ARTICLE 2. – APPLICABLE LEGISLATION.

The legislation applicable to this policy for the protection of personal data and in accordance with

this policy was drafted is:

Law 1581 of 2012.
Decree 1377 of 2013.

And others determined by law and national jurisprudence.

ARTICLE 3. – DEFINITIONS.

In compliance with the law and in order to facilitate the understanding of the technical vocabulary used in this policy, the following terms shall be understood as follows:

• Authorization: Prior, express and informed consent of the Data Subject to carry out the processing of personal data (Source: Statutory Law 1581 of October 17, 2012).
• Database: Organized set of personal data that is subject to processing (Source: Statutory Law 1581 of October 17, 2012).
• Consent of the holder: It is a manifestation of the will, informed, free and unequivocal, through which the holder of the personal data accepts that a third party use their information for commercial purposes.
• Consultations: The Data Controllers or their successors in title may consult the personal information of the Data Controller contained in any database, whether in the public or private sector. The Data Controller or Data Processor must provide them with all the information contained in the individual record or that is linked to the identification of the Data Subject (Source: Statutory Law 1581 of October 17, 2012).
• Personal data: Refers to information on natural persons (identified or identifiable), relating both to their identity (name and surname, address, affiliation, etc.) and their existence and occupations (studies, work, diseases, etc.).
• Public data: It is the data qualified as such according to the mandates of the law or the Political Constitution and all those that are not semi-private or private, in accordance with this law. Public data includes, among others, data contained in public documents, duly executed court rulings that are not subject to confidentiality and data related to the civil status of persons (Source: Statutory Law 1266 of 2008).
• Semi-private data: Semi-private data is data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of persons or to society in general, such as the financial and credit data of commercial or service activity referred to in Title IV of this law. (Source: Statutory Law 1266 of 2008).
• Private data: Data that, due to its intimate or reserved nature, is only relevant to the owner (Source: Statutory Law 1266 of 2008).
• Sensitive data: For the purposes of this policy, sensitive data are understood as those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sex life and biometric data.
• Data processor: The person who handles personal data, but does not decide how or for what purpose. Their work is operational and is done based on the indications and instructions of the data controller.
• Habeas Data: It is the right that every holder of information has to know, update, rectify or oppose to the information concerning their personal data.
• Protection of personal data: It is a fundamental right that all natural persons have. It seeks the protection of their privacy and intimacy against a possible violation due to the improper treatment of personal data captured by a third party.
• Claim: The Data Subject or its assignees who consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in this law, may file a claim with the Data Controller or the Data Processor (Source: Statutory Law 1581 of October 17, 2012).
• Data Controller: Natural or legal person, public or private, who by itself or in association with others, decides on the database and/or the processing of data. (Source: Statutory Law 1581 of October 17, 2012.
• Processing: Any operation or physical or automated procedures that allow to capture, record, reproduce, preserve, organize, modify, transmit personal data.
  Data processing: As a general rule, the consent of the holder of the personal data is required in order to carry out any processing of his data.
• Personal data subject: The natural person whose personal data is processed by a third party.

ARTICLE 4. – GUIDING PRINCIPLES.

GRUPO ESTETICO CB S.A.S, is committed to the freedom, integrity, transparency, confidentiality, truthfulness and availability of personal data, which is why the principles set forth below are the general parameters that will be respected in the processes of collection, use and processing of personal data as provided by Law 1581 of 2012 and its regulatory decrees.

Legality in terms of data processing. The processing of personal data is a regulated activity, so GRUPO ESTETICO CB S.A.S. will comply with the provisions of Law 1581 of 2012 and other provisions that develop it.
Purpose. GRUPO ESTETICO CB S.A.S will apply treatment to personal data always obeying a legitimate purpose, making calls to phone numbers, sending digital messages, emails, and any other means of dissemination of physical or electronic information known or to be known, when necessary for any subject, including commercial issues such as reporting new services, promotions, plans, invitation to events, reminders, know your opinion with the service provided and in general provide important information GRUPO ESTETICO CB S.A.S, which will be previously informed to the holder.