Privacy Policy

PERSONAL DATA PROCESSING POLICY

INTRODUCTION

Holding Hotelera GHL SAS, subsidiaries, affiliates and the companies that comprise it (hereinafter “GHL”), recognizes the importance of privacy and is committed to protecting the personal data of guests, clients, visitors, collaborators, suppliers and in generally any third party that may relate to GHL.

This personal data processing policy (the “Policy”) is intended to inform the general public of the way in which GHL processes the personal data of the Owners (as this term is defined below) that are in its databases. data.

II. AIM

Establish the general guidelines for the effective management of the protection of Personal Data (as this term is defined below) under which GHL processes them, inform the Owners of the Personal Data of the rights that assist them, the channels and mechanisms provided by GHL to exercise them.

III. SCOPE

This Policy applies to all personal data of the Owners that are processed by GHL as the data controller.

IV. DEFINITIONS

For the purposes of this Policy, capitalized terms included throughout this document will have the meaning assigned to them below, whether used in the plural or singular.

Authorization: Means the prior, express and informed consent of the Owner to carry out the Processing of their Personal Data.

Database: It is the organized set of Personal Data that is subject to Processing, electronic or not, regardless of the method of its formation, storage, organization and access.

Candidates: They mean those natural persons who applied to occupy a position in GHL.

Collaborators: They mean the natural persons who provide their services to GHL, through an employment contract.

Financial Data: It is all Personal Data referring to the birth, execution and extinction of monetary obligations, regardless of the nature of the contract that gives rise to them, the Treatment of which is governed by the Applicable Regulations.

Personal Data: It is any information, linked or that can be associated with one or several specific or determinable natural or legal persons, which includes Financial Data and Sensitive Data.

Public Data: It is the Personal Data classified as such according to the Applicable Regulations, if it exists, and, consequently, it is that which is not semi-private, private or sensitive. Public are, among others, data relating to the marital status of people, their profession or trade, their status as a merchant or public servant and those that can be obtained without any reservation. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, duly executed judicial rulings that are not subject to confidentiality.

Sensitive Data: It is the Personal Data that affects the privacy of the Owner or whose improper use can generate discrimination, such as those that reveal union affiliations, racial or ethnic origin, political orientation, religious, moral or philosophical convictions, membership to unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.

Processor: It is the natural or legal person, public or private, who, by themselves or in association with others, carries out the Processing of Personal Data on behalf of the Controller. The processor is understood to be any supplier, allies or third parties who carry out data processing on behalf of GHL.

Applicable Regulations: It has the meaning established in the annex corresponding to each country or jurisdiction included in this Policy.

Owners: They mean the holders of the right of ownership of the properties where the hotels that are operated by GHL are located.

Suppliers: They mean those natural and/or legal persons that supply goods and/or services to GHL.

Data Controller: It is the natural or legal person, public or private, who alone or in association with others, decides on the Database and/or the Processing of Personal Data.

Owner: Is the natural person whose Personal Data is the subject of Processing, as a consequence of the relationship between the Owner and GHL. The Owner is understood to be the Candidates, clients, collaborators, suppliers, owners, shareholders and any person in general who provides their data to GHL as Data Controller.

Transfer: It takes place when the Controller and/or Processor of Personal Data, located in a certain jurisdiction, sends the personal data information to a recipient, who in turn is responsible for the treatment and is located inside or outside the country.

Treatment: It is any systematic operation and procedure, electronic or not, that allows the collection, conservation, ordering, storage, modification, relationship, use, circulation, evaluation, blocking, destruction and in general, the processing of Personal Data, as well as its Transfer and/or Transmission to third parties through communications, queries, interconnections, assignments, data messages.

V. PRINCIPLES

GHL, in developing its corporate purpose, collects, uses, stores, transfers and generally processes the Personal Data of the Owners, in accordance with the purposes established in this Policy. In all Personal Data Processing carried out by GHL, the Controllers, Processors and/or third parties to whom Personal Data is transferred must comply with the principles and rules established in the Applicable Regulations and in this Policy, in order to guarantee the right to habeas data of the Holders and comply with the obligations established in the Applicable Regulations.

The principles that govern this Policy are:

5.1. Demonstrated responsibility (“Accountability”): GHL has the appropriate measures to comply and be in a position to demonstrate that it complies with regulations regarding the protection of personal data.

5.2. Legality: GHL processes personal data lawfully in application of current and applicable provisions.

5.3. Freedom: All Personal Data Processing is carried out once the prior, express and informed consent of the Owner has been obtained, unless the Applicable Regulations establish an exception to this rule.

5.4. Authorized purpose: All Personal Data Processing activities must obey the purposes mentioned in this Policy and the consent granted by the Owner of the Personal Data, or in the specific documents where each type or process of Personal Data Processing is regulated. The purpose of the particular Processing of Personal Data must be informed to the Owner of the Personal Data at the time of obtaining Authorization for it. Personal Data may not be processed outside of the purposes informed and consented to by the Data Owners.

5.5. Veracity and quality of Personal Data: Personal Data subjected to Processing must be truthful, complete, accurate, updated, verifiable and understandable. When it is in possession of partial, incomplete, fragmented or misleading Personal Data, GHL must refrain from Processing it, or request its owner to complete or correct the information.

5.6. Transparency: When the Owner requests it, GHL must provide information about the existence of Personal Data that concerns the applicant.

5.7. Restricted circulation: Personal Data can only be Processed by those personnel who have Authorization to do so, or who within their functions are in charge of carrying out such activities. Personal Data may not be delivered to those who do not have Authorization or have not been enabled by GHL to carry out the Treatment.

5.8. Temporality: GHL will not use the Owner's information beyond the reasonable period required by the purpose that was informed to the Owner of the Personal Data.

5.9. Restricted access / Security: Except for expressly authorized Personal Data, GHL may not make Personal Data available for access through the Internet or other means of mass communication, unless technical and security measures are established to control access and Restrict it to authorized people only.

5.10. Confidentiality: GHL must always carry out the Treatment by providing the technical, human and administrative measures that are necessary to maintain the confidentiality of the Personal Data and to prevent it from being adulterated, modified, consulted, used, accessed, deleted, or known by unauthorized persons. , or that the Personal Data is lost. Any new project that involves the Processing of Personal Data by GHL must refer to this Processing Policy to ensure compliance with this rule.

SAW. PROCESSING OF PERSONAL DATA

Personal Data is collected, stored, organized, used, circulated, transferred, updated, rectified, deleted, eliminated and managed in accordance with the purpose or purposes of each type of Treatment.

6.1. Types of Personal Data and Purposes of Treatment:

  • Personal Data Bank of Guests-Clients: Purposes of processing: 1. Reservation management, registration of guests and clients. 2. Management of payments and billing of services. 3. Attention and management of requests, queries and complaints. 4. Management of customer loyalty programs and personalized offers. 5. Sending information and advertising about promotions, events and services. 6. Analysis of customer preferences and consumption habits to improve the quality of services. 7. Analysis of the effectiveness of marketing strategies and continuous improvement of the services offered. 8. Security and privacy protection. 9. Access control and security in the facilities. 10. Management of contracted third-party services (for example, transportation or tourism services). 11. Attention to medical emergencies and health risk situations. 12. Management of relationships with Managers (suppliers and external service providers). 13. Conducting market studies and competitor analysis. 14. Conducting service surveys after the stay that allow the rating of the service provided. 15. Carry out treatment directly or through a person in charge of treatment, located in Colombia or any other country, to whom the Client's personal data is provided, or the necessary international transfer is carried out, as the case may be, to carry out the treatment on behalf of GHL. Treatment System: Automated and non-automated. Procedure to collect Information: Source: From the Owner of the Personal Data or his or her representative. Support: Paper, computer/magnetic, via telematics. Procedure: Physical and/or virtual forms and/or Registration Form, electronic transmission, telephone calls.

  • Candidates' Personal Data Bank: Purposes of processing: 1. Receive, request and store resume supports. 2. Have communication by email and/or telephone to request information and provide details of the call. 3. Include in a database to have a record and follow-up of the request. 4. Verify compliance with requirements as part of the selection process. 5. Manage the summons and application of tests and interviews, directly or through a provider. 6. Obtain reports of the results of the information analysis and evaluation of tests as part of the selection process in its different filters. 7. Keep the test results, in order to take them into account in future selection processes. 8. Leave a record of attendance at the tests and the interview. 9. Access and consult personal data (private, semi-private, sensitive or reserved) that reside or are contained in databases or files of any public or private entity, whether national, international or foreign. 10. Carry out treatment directly or through a person in charge of the treatment, located in Colombia or any other country, to whom the Candidate's personal data is provided, or the necessary international transfer is carried out, as the case may be, to carry out the treatment on behalf of GHL. 11. Provide, share, send or deliver the candidate's personal data to its affiliated companies, subsidiaries, linked companies and in general to any related party located in Colombia or any other country. 12. Use and treatment of my sensitive information that has been obtained due to the selection process, as well as that related to minors and family data of people included in the family group or dependents, which was provided for the purposes derived from the interviews, tests and information provided. 13. Use and processing of biometric data, such as fingerprints, video image, recordings, among others, for the necessary purposes of the employment contract Processing System: Automated and non-automated. Procedure to collect Information: Source: From the Owner of the Personal Data. Support: Paper, computer/magnetic, via telematics. Procedure: Forms, physical/electronic transmission.

  • Collaborators' Personal Data Bank: Purposes of the treatment: 1. Management and administration of the company's Human Talent. 2. Compliance with labor regulations. 3. Prevention of occupational risks. 4. Attention to medical emergencies and health risk situations. 5. Access control and security in facilities. 6. All activities related to hiring, affiliations and making payroll payments. 7. Manage salaries and benefits. 8. Carry out wellness activities. 9. Coordinate performance management, professional development and career plan. 10. Carry out treatment directly or through a person in charge of the treatment, located in Colombia or any other country, who is provided with the Collaborator's personal data, or the necessary international transfer is carried out, depending on the case, so that the treatment can be carried out on behalf of GHL. Treatment System: Automated and non-automated. Procedure to collect Information: Source: From the Owner of the Personal Data. Support: Paper, computer/magnetic, via telematics. Procedure: Forms, physical/electronic transmission.

  • Suppliers' Personal Data Bank Purposes of treatment: 1. Manage information from providers to monitor and compensate for the service provided. 2. Supplier list management. 3. Access control and security in the facilities. 4. Purchase analysis 5. Evaluation prior to and during the provision of the service or product. 6. Access and consult personal data (private, semi-private, sensitive or reserved) that reside or are contained in databases or files of any public or private entity, whether national, international or foreign. 7. Carry out treatment directly or through a person in charge of treatment, located in Colombia or any other country, to whom the Provider's personal data is provided, or the necessary international transfer is carried out, as the case may be, to carry out the treatment on behalf of GHL. Treatment System: Automated and non-automated. Procedure to collect Information: Source: From the owner of the Personal Data. Support: Computer/magnetic. Procedure: Electronic transmission.

  • Owner's Personal Data Bank: Purposes of treatment: 1. Manage information about hotel owners. 2. Payment management 3. Access control and security at the facilities. Treatment System: Automated and non-automated. Procedure to collect Information: Source: From the owner of the Personal Data. Support: Computer/magnetic. Procedure: Electronic transmission.

  • Personal Data Bank of Video Surveillance Cameras: Purposes of the treatment: 1. Support security, entry and exit control of people through video surveillance. 2. Verification of incidents and protection of the Company's assets and resources through video surveillance elements. 3. Support compliance with safety measures at work. 4. If required by a competent authority, recordings can be delivered in order to comply with the due request Treatment System: Automated. Obtaining procedure: Source: From the Owner of the Personal Data. Support: Video. Procedure: Electronic transmission.

  • Personal Data Bank of Guests-Clients: · Identification data: Full names and surnames, identification document or passport number, address, email address, telephone number, signature. · Personal characteristics data: Date of birth, nationality, sex. · Social data: · Arrival and departure information, number of nights in the reservation, type of room, services to be used. · Information associated with your profession or trade. · Financial Data: Credit card number and financial income · Sensitive Data: Information related to physical or mental health, emotional or family life, biometric data, judicial and police records

  • Candidates' Personal Data Bank · Identification data: Full names and surnames, identity document number, address, email address, telephone number, social networks, and image. · Personal characteristics data: Date of birth, nationality, sex, marital status, profession, age, work experience, academic data, contact person data. · Sensitive data: Information related to physical or mental health, emotional or family life, economic income, biometric data, blood group, judicial and police records.

  • Collaborators' Personal Data Bank · Identification data: Full names and surnames, identity document number, address, email address, telephone number, social networks and image. · Personal characteristics data: Date of birth, nationality, sex, marital status, profession, age, work experience, academic data, contact person data and hobbies. · Financial and insurance data: Banking data, insurance, pension/retirement plans. · Sensitive data: Information related to physical or mental health, emotional or family life (including information on girls, boys and adolescents), economic data, biometric data, blood group, judicial and police records

  • Suppliers' Personal Data Bank · Identification data: Full names and surnames, identity document number, Tax ID, tax data, address, email address, telephone number. · Personal characteristics data: Position and contact information for the company where you work.

  • Personal Data Bank of Owners · Identification data: Full names and surnames, identity document number, RUC number, address, email address, telephone number. · Personal characteristics data: Profession. · Financial and insurance data: Bank details.

  • Personal Video Surveillance Data Bank: · Identification data: Image and, if applicable, voice.

6.2. Refusal to provide Personal Data by the Owner

Taking into consideration that according to the services provided by GHL, identification data are required in accordance with the Applicable Regulations, in the event that a Personal Data Owner refuses to provide them, GHL will not be able to provide the service or carry out the contract.

VII. Recipients to whom personal data are communicated

In general, all personal data collected may be processed directly by the Hotel or by companies that have links to the Hotel's operating and/or reporting activities. In this way, we may share (Transmit or Transfer) your information with third parties. These third parties may be the owners of the hotels, or counterparties in contracts related to the operation of the hotels, which include, but are not limited to, companies legally constituted in accordance with the laws of their domicile or trust vehicles, companies affiliated or integrated into our organization, as well as other entities related to the hotel sector. The purpose of sharing this information is to ensure the proper provision of our services.

Some of these third parties may be located outside the territory in which we operate, including in countries that may not offer an equivalent level of data protection to the country in which our operations reside. However, we will ensure that any data transfer complies with applicable laws and regulations to ensure the security and protection of information.

Importantly, we will only share your information with third parties where necessary to fulfill our contractual commitments, protect our legitimate interests or comply with legal obligations.

To facilitate travel, it may be necessary to disclose and process personal data for immigration, border control, security and anti-terrorism purposes, or other purposes determined appropriate by government authorities at the points of departure and/or destination. Some countries require passenger details to be provided in advance to allow travel. In compliance with the law or if we are legally authorized, we may share the minimum necessary personal data with other authorities.

VIII. RIGHTS OF THE OWNER OF PERSONAL DATA

GHL is committed to ensuring the exercise of the data protection rights of the Owners applicable in the jurisdictions where we have prescience.

In that sense, below are some of the types of rights without limiting them, given that we operate in different countries:

8.1. Right of Access: The Owners have the right to know what information about themselves has been stored in GHL; how and why it was collected; as well as the transfers made or those that

are planned to be carried out.

8.2. Right to Rectification: Owners have the right to request the modification of Personal Data that was collected incorrectly, incomplete, inaccurate, outdated or falsely, in a public or private data bank. At the same time, it allows the updating and inclusion of new Personal Data.

8.3. Right to be Forgotten: The Owners have the right to cancellation or opposition in the Internet environment, specifically from search engines, and with its exercise limit the dissemination of information when it is obsolete, is not relevant or contravenes the norm.

8.4. Right to Cancellation: Any person may request the cancellation or deletion of their Personal Data when they no longer fulfill a purpose, when consent has been revoked or the period for processing has elapsed. The request for deletion or cancellation may refer to all the Personal Data of the owner contained in a Personal Data Bank or only to some part of them.

8.5. Right to Revoke: The Owners may at any time request the Controller or Processor to delete their personal data and/or revoke the authorization granted for the Treatment thereof. The request for deletion of information and revocation of authorization will not proceed when the Owner has a legal or contractual duty to remain in the database.

8.6. Right of Portability: Power of the Owner to receive from the person responsible for personal data, his/her personal data, in a compatible, updated, structured, common and mechanical format.

IX. CONTACTS FOR CARE OF REQUESTS, QUERIES AND COMPLAINTS

GHL has channels for receiving and responding to requests, complaints, claims and queries of all kinds related to Personal Data so that, if applicable, the Owners can exercise the rights related to their personal data.

Through the following channels, our teams will receive the request and will respond within the deadlines defined in the applicable law in your country.

8.1. Guests

§ Customer service: Hotel where you are staying § Email: ventaspersonales@ghlhoteles.com or contactenos@ghlhoteles.com

8.2. Candidates, collaborators and retired collaborators

§ Telephone: 57 31393333 § Email: th.oficinacentral@ghlhoteles.com or contactenos@ghlhoteles.com

§ Correspondence: Av calle 72 No 6-30 floor 8 and 13 of Bogotá, Colombia

8.3. Suppliers (Purchasing) § Email: ventaspersonales@ghlhoteles.com or contactenos@ghlhoteles.com

§ In person: Av calle 72 No 6-30 floor 8 and 13 of Bogotá, Colombia

8.4. Owners § Email: datapersonales@ghlhoteles.com or contactenos@ghlhoteles.com

X. PROCEDURES TO EXERCISE THE RIGHTS OF THE OWNERS OF PERSONAL DATA

GHL will have mechanisms for the Owner, his successors, his representatives and/or attorneys, those to whom it has been stipulated in favor of another or for another, and/or the representatives of minor Owners, to formulate queries regarding which the Personal Data of the Owner that rests in the GHL Databases.

GHL has channels in place that allow secure and quick interaction with the Owners. GHL indicates that only Owners who demonstrate ownership of the personal data or legal representation to exercise any of the data protection rights will be served.

To exercise the rights of the Owners, a request must be submitted which must include at least the following data:

to. Full names and surnames of the Holder of the right and identity number or passport (prove the same, and, where appropriate, his representative).

b. Include a clear and precise description of the personal data with respect to which you seek to exercise any of the aforementioned rights.

c. Indicate the specific request that gives rise to the request and documents that support it, if applicable.

d. Include the right or rights you wish to exercise

and. Address, or address that can be physical or electronic, for the purposes of corresponding notifications.

F. Accompany the request with documents that prove the identity of the Owner or the legal representative

g. Date and signature of the applicant (when it is a physical application).

XI. DATA OF THE TREATMENT CONTROLLER

HOLDING HOTELERA GHL SAS

NIT: 901580112 2

Central Office: Calle 72 # 6-30, Bogotá – Colombia

Telephone: +57 3139333

XII. VALIDITY AND CHANGES

This Policy is approved on May 22, 2024, the date from which it is applicable.

This Policy may be modified by GHL when required without prior notice, provided that they are non-substantial modifications. Otherwise, they will be previously communicated to the Owners.

GHL reserves the right to implement the Policy at any time.

XIII. ANNEXES

Ecuador Annex

Cookies Policy, More details can be found in our page Cookies Policy