Official Website Movich Hotels’s Privacy Policy
Free Wifi

GLOBAL INVERSIONES HOTELERAS S.A.S. PERSONAL DATA PROTECTION POLICY

1. PURPOSE:
The promotion by GLOBAL INVERSIONES HOTELERAS S.A.S., holder of Tax Identification Number 900.522.845-1, of the correct Personal Data Processing, in compliance of Law 1581 of 2012 “Through which general provisions for the protection of personal data were established” and Decree 1377 of 2013, “Through which Law 1581 of 2012 is partially regulated”
Whereas, GLOBAL INVERSIONES HOTELERAS S.A.S. prepared the Personal Data Processing Policy herein, which is mandatory for all its receivers.

2. SCOPE: 
The policy herein shall be applied to the Personal Data Processing conducted within the Colombian territory, or, when the Norm is applicable to the Responsible for and/or Assigned outside the Colombian territory, in virtue of international treaties, contracts, or the like.

The principles and provisions included herein shall apply to the Data Bases which hold information of personal nature and which are kept under the custody of GLOBAL INVERSIONES HOTELERAS S.A.S., whether as Responsible and/or as Assigned to such Processing.

Every organizational process of GLOBAL INVERSIONES HOTELERAS S.A.S. which involves Personal Data Processing shall be governed by the provisions herein.

3. OFFICIALS RESPONSIBLE FOR THE POLICY 
This is a mandatory policy and the following people must fully abide by it:

• Legal Representatives of GLOBAL INVERSIONES HOTELERAS S.A.S.
• Workers of GLOBAL INVERSIONES HOTELERAS S.A.S.
• Contractors and third parties who act on behalf of GLOBAL INVERSIONES HOTELERAS S.A.S. or who provide their personal services to GLOBAL INVERSIONES HOTELERAS S.A.S. under any type of contract in virtue of which there is Personal Data Processing.
• Shareholders and Statutory Auditors.
• Any other person as provided for by law.
The breach to this Policy shall result in labor, criminal or civil penalties, as applicable.

4. DEFINITIONS: 
Under the regulations in force on the matter, the following definitions are adopted:

Holder: individual whose Personal Data are being processed.
Authorization: Prior, special and informed consent to perform Personal Data Processing
Data Base: organized set of Personal Data subject to Processing.
Personal datum: Any piece of information which is or may be connected to one or more determined or capable of being determined individuals
Public datum: any piece of information which is not of a private, semiprivate or sensitive in nature. The following are considered as public data: civil status, profession or occupation and the quality as trader or public servant of an individual. As per their nature, public data may be included in public records, public documents, journals and official newsletters and executed judicial rulings not subject to a reserved status.
Sensitive Data:  Understood as those that have an impact on the intimacy of the holder or whose inadequate use may cause discrimination, such as those that reveal racial or ethnical origin, political affiliation, religious or philosophical convictions, belonging to trade unions, social organizations, or human rights or which promote the interests of any political party or which guarantee the rights and guarantees of opposing political parties, as well as those connected to health, sexual orientation and biometrical data.
Assigned to processing: Natural or juridical, public or private person, who individually or collectively conducts Personal Data Processing on behalf of the person Responsible for processing.
Responsible for Processing: individual or juridical entity, of private or public nature which, by itself or by association with others, is capable of making decisions on the Data Base and/or data Processing of Personal Data.
Processing: Any operation or set of operations connected to Personal Data, such as collection, storage, use, disclosure or suppression
Transfer: A transfer takes place when the Responsible for or the Assigned to Personal Data Processing, located in Colombia, sends information or Personal Data to a receiver, who is in turn the Responsible for Processing and who is located within the national territory or abroad.
Transmission: Personal Data Processing which implies the communication of the same within or outside the territory of the Republic of Colombia if the purpose of such communication is to perform Data Processing by the Assignee on behalf of the Responsible.
Privacy Notice: Any verbal or written communication issued by the Responsible for Processing, addressed to the Holder in order to perform Personal Data Processing, through which the existence and application of Data Processing and the access and use given to Personal Data are informed.

5. PRINCIPLES 
Under the provisions of the regulations in force on the matter, the following principles are adopted:

• Legitimacy in terms of Personal Data Processing: Personal Data Processing in Colombia is a regulated activity and therefore, the business processes and the audiences of the norm must abide by the same.
• Freedom: Data Processing can only be conducted under prior, express and informed consent from the Holder. Personal Data may not be obtained, processed or disclosed without prior consent, or in absence of a legal or judicial mandate to relief such consent.
• Purpose: Data Processing must have a legitime purpose under the Constitution and the Law, which must be informed to the holder in an express, accurate and previous manner for him/her to express his/her informed consent.
• Truthfulness or Quality: Data subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. Personal Data Processing on partial, incomplete, fractioned or misleading data is forbidden.
• Transparency: The Data Processing process, must guarantee at all times that the right of the Holder to receive, without limitation, information about the existence of data of interest from the Responsible for or Assigned to Processing.
• Access and Restricted Disclosure: Data Processing is subject to the limits derived from the nature of the Personal Data, as provided for by the Constitution and the Law. To this sense, Data Processing may only be conducted by those individuals authorized by the Holder and/or any other individual as provided for by law.
• Personal Data, except for public data, may not be made available through the Internet or any other mass media, except if access to such data is technically controllable to provide restricted knowledge only to the Holders or authorized third parties, as set forth herein.
• Security: Any data subject to processing by the Responsible for or the Assigned to Processing, as provided for by law, must be handled under the technical, human and administrative measures needed to provide enough security to the records, thus avoiding tampering with, loss, check, non-authorized or fraudulent use of the same.
• Confidentiality: Every individual involved in processing data which is not of public nature is compelled to guarantee that the information is kept as reserved, even upon termination of any of the tasks including in the Data Processing process, while only being able of providing or disclosing any Personal Data in an event connected to the development of authorized by law activities under the provisions thereof.

6. DUTIES OF THE RECEIVERS OF THE POLICY
The duties of the receivers of the Policy herein are described below, without prejudice to any additional duty imposed under Law 1581 of 2012 and Decree 1377 of 2013:

6.1 DUTIES OF THE INDIVIDUALS RESPONSIBLE FOR PROCESSING PERSONAL DATA
a.  To guarantee the Holder the full and effective exercise of the habeas data right, to wit: knowing, updating or correcting his/her personal data at any time.
b. To require and keep, under the conditions set forth herein, a copy of the corresponding Authorization granted by the Holder.
c. To inform the Holder of the Personal Data in a clear, sufficient and previous manner the purpose of the information provided.
d. To solely collect those Persona Data relevant and adequate for the purpose intended as the same are collected.
e. To process any check or claim submitted under the terms set forth herein.
f. To comply with the principles set forth herein.
g. To keep the information under the necessary security conditions as to prevent any tampering with, loss, check, or non-authorized use or access to such information.
h. To update the information, by timely communicating the person Assigned to Processing, any news regarding the Personal Data which could have been previously delivered and to adopt any necessary measures to keep the provided information updated.
i. To correct any inaccurate information and, if relevant, transfer such correction to the Assigned to Processing.
j. To provide the Assigned to Processing, as applicable, only the Personal Data whose Processing has been previously authorized.
k. To require the person Assigned to Processing to abide, at all times, by the security and privacy conditions of the information of the Holder.
l. To process any check or claim submitted under the terms provided for herein.
m. To implement an internal policy and procedures manual to guarantee the correct Processing of Personal Data under the provisions applicable and any instructions given on the matter by the Superintendence of Industry and Trade.
n. To inform the Assigned to Processing when any given information is subject to discussion by the Holder, once the claim has been submitted and the corresponding procedures has not concluded.
o. To inform, as per request of the Holder, of the use given to his/her Personal Data.
p. To inform the Personal Data authority of any breach to the security codes and if there is any risk regarding the management of the information of the Holders.
q. To comply with the instructions and requirements given by the Superintendence of Industry and Trade.

6.2 DUTIES OF THE ASSIGNED TO DATA PROCESSING
a. To guarantee the Holder, at all times, the full and effective exercise of the habeas data right.
b. To keep the information under the necessary security conditions as to prevent tampering with, loss, check, or non-authorized or fraudulent use or access to.
c. To update, correct or remove Personal Data as set forth by Law.
d. To update the information reported by those Responsible for Processing within five (5) business days from the date received.
e. To process any check or claim submitted by the Holders
f. To implement an internal policy and procedures manual to guarantee the correct Processing of Personal Data under the provisions applicable and any instructions given on the matter by the Superintendence of Industry and Trade.
g. To record within the Data Base the wording “claim in progress” as provided for by Law.
h. To include in the Data Base the wording “information under judicial discussion” upon receiving notice by the competent authority on any judicial proceeding regarding the quality of any Personal Datum.
i. To refrain from disclosing any information under controversy by the Holder and whose blockage has been ordered by the Superintendence of Industry and Trade.
j. To allow access to the information only for those people who hold clearance to access the same.
k. To inform the Superintendence of Industry and Trade in the event of any breach to the security codes and if there is any risk regarding the management of the information of the Holders.
l. To comply with the instructions and requirements given by the Superintendence of Industry and Trade.

7. RIGHTS OF THE HOLDERS OF PESONAL DATA 
a. To know, update and correct its own Personal Data before those Responsible for Processing or Assigned to Processing. This right may be exercised, among others, regarding partial, inaccurate, incomplete, fractioned, misleading or any other data whose Processing is expressly forbidden or which has not been authorized.
b. To require proof of the authorization granted to the Responsible for Processing except when expressly exempt as a requirement for Processing (any event in which such Authorization is not needed).
c. To be informed by the Responsible for Processing or the Assigned to Processing, as per previous request, regarding the use given to his/her Personal Data.
d. To submit before the Superintendence of Industry and Trade any claim due to breach to the provisions set forth herein and any other norm that amend, add or complement the same.
e. To cancel the Authorization and/or request the removal of the Personal Datum when the constitutional and legal principles, rights and guarantees are not complied with during Processing.
f. To freely access its Personal Data subject to Processing

8. LEGITIMACY FOR EXERCISING THE RIGHTS OF THE HOLDER
The rights of the holders may be exercised by the following individuals:

a. By the Holder, who must credit his/her identity in an adequate manner through the different media made available by the Responsible for Processing.
b. By the successors and assigns of the Holder who must credit such capacity.
c. By the representative and/or proxy of the Holder, under previous crediting of such representation or proxy.
d.By stipulation in favor of or to a third party.
e.The rights of minors, boys and girls, and adolescents shall be exercised by the individuals capable of representing them.

9. PEOPLE WHO MAY RECIEVE INFORMATION OF THE HOLDER OF PERSONAL DATA.
a. Any Holder, their successors or representatives;
b. Any public or administrative entity while exercising their legal duties or under a judicial order;
c. Any third party if authorized by the Holder or the Law.

10.  PURPOSE OF PROCESSING
In compliance of the Principle of Purpose, Personal Data Processing by GLOBAL INVERSIONES HOTELERAS S.A.S., as Responsible or Assigned of the same, shall be ruled by the following parameters:

10.1        PERSONAL DATA CONNECTED TO HUMAN RESOURCES MANAGEMENT.

a.   Before subscribing a contract.
GLOBAL INVERSIONES HOTELERAS S.A.S. collects, stores, reads, uses and processes information and Personal Data of any candidate to employee, by informing in advance the rules applicable to any Personal Data provided subject to Processing. In any case, the purpose of delivering Personal Data is limited to participating in the recruitment process and subsequent traceability, and therefore any other use is strictly forbidden.

The information submitted by the candidates to a vacant position in GLOBAL INVERSIONES HOTELERAS S.A.S., shall be kept in storage for a five (5) year period from the date of the last Processing, to comply with the applicable administrative, accounting, fiscal, juridical and historical provisions in force on such information and any other legal requirement.

The Personal Data and information obtained from the recruitment process regarding the selected workers or contractors, shall be stored by GLOBAL INVERSIONES HOTELERAS S.A.S. under strict security measures.

b. During and upon termination of the contract.
GLOBAL INVERSIONES HOTELERAS S.A.S. collects, stores, checks, uses, shares, interchanges, transfers, discloses and process the personal information provided by its employees with the purpose of executing and developing the labor contract, and applying the legislation, jurisprudence and regulations in legal, social security, occupational risks grounds, granting benefits to the employee and its beneficiaries and for any other purpose needed for the correct development of the employee – employer relationship. Likewise, GLOBAL INVERSIONES HOTELERAS S.A.S. collects, uses, shares, interchanges, sends, transfers, discloses and processes information and Personal Data of removed or retired employees, retirees or pensioners, bonded third parties, family group, beneficiaries and any other individual who has or has had an employment contract with GLOBAL INVERSIONES HOTELERAS S.A.S.

GLOBAL INVERSIONES HOTELERAS S.A.S. shall store the Personal Data of its employees under a dossier identified with the full name of each one of them. Access to such dossier is limited to the Human Resources Management Area and the Legal Area of GLOBAL INVERSIONES HOTELERAS S.A.S., with the only purpose of managing the contractual relationship.

Such information shall be kept in storage, physically or through electronic means, as provided for by Article 264 of the Substantive Labor Code, or kept for the maximum term needed to comply with the legal or contractual obligations imposed to us, in particular, any accounting, contractual, fiscal or tax obligation.

10.2 PROVIDERS’ PERSONAL DATA.
GLOBAL INVERSIONES HOTELERAS S.A.S. collects, stores, checks, uses, shares, interchanges, transfers, discloses and process the personal information provided by its providers which has been supplied as part of the procurement process of any goods or services delivered to GLOBAL INVERSIONES HOTELERAS S.A.S., before, during or after the contractual relationship.

GLOBAL INVERSIONES HOTELERAS S.A.S. shall collect the Personal Data of the employees of the provider, whenever such data is needed for security reasons according to the nature of the contracted service.

10.3 CLIENTS’ PERSONAL DATA
a. Processing and verification of any information needed to process reservations in the Movich Hotels & Resorts chain.
b. Updating or correcting information during the stay in the hotels of the Movich Hotels & Resorts chain.
c. Offering, subscribing and executing accommodation contracts and any other service connected to the travel experience of the guest of the Movich Hotels & Resorts chain.
d. Offering, subscribing and executing banquet and hall rental contracts with the facilities of the Movich Hotels & Resorts chain.
e. Controlling and preventing fraud, asset laundering and financing of terrorism.
f. Preparing marketing and statistics studies.
g. Sending out information or offering services connected to the social purpose of GLOBAL INVERSIONES HOTELERAS S.A.S.
h. Sending out offers and/or commercial or services communications to the street address or e-mail included in the data recording forms filled up by the guest.
i. Contacting the guest by telephone, to notify offers and/or commercial or service communications
j. Sending out satisfaction surveys to learn about the quality of the serviced delivered by GLOBAL INVERSIONES HOTELERAS S.A.S.

In the event of collecting data in virtue of the Movich Dreams loyalty program, Personal Data of the associates shall be additionally processed for the following purposes.

a. Operating the Movich Dreams program.
b. Identifying the associate and keeping open communication with him/her, including but not limited to sending information on accumulation or redemption transactions on his/her account and sending any other hard copy or electronic mail.
c. Crediting the points from the Movich Dreams program to the associate’s account.
d. Allowing the associate to redeem points for nights in participating hotels.
e. Enabling the associate to receive the benefits redeemed through his/her points.
f. Keeping updated and backed-up the points balance of the associate’s account.
g. Sending offers and/or communications to the associate based upon his/her likes and preferences or previous behavior.
h. Subcontracting third parties in the capacity of Assignees of Personal Data for them to process the information of the associates and/or conduct any other activity as required by Movich Dreams and/or the hotels regarding the Movich Dreams program.

The Holder of Personal Data and/or sensitive data hereby authorizes GLOBAL INVERSIONES HOTELERAS S.A.S. to transfer its personal information to its headquarters, subsidiaries and affiliates, as well as to any other company pertaining to the Movich Hotels & Resorts Hotel Chain.

10.4.   PERSONAL DATA OF THE COMMUNITY IN GENERAL.
The collection of Personal Data from individuals conducted by GLOBAL INVERSIONES HOTELERAS S.A.S. to develop its corporate purpose shall abide by the provisions set forth herein.

11. INTERNATIONAL TRANSFER OF PRESONAL DATA
The Transfer of Personal Data to countries which do not provide adequate levels of protection of Personal Data is forbidden. A country shall be deemed as safe if it complies with the standards determined by the Superintendence of Industry and Trade.

Notwithstanding the aforementioned, as an exception, transfer shall be allowed in the following cases:

• The Holder of the Personal Datum has expressly and clearly authorized such transfer
• Banking or Stock Exchange transfer, as provided for by the applicable law.
• Transfers agreed to under the framework of international treaties of which Colombia is a party, based upon the reciprocity principle.
• Transfers needed for the execution of a contract between the Holder and the Responsible for Processing
• Lawfully required transfers to safeguard public interest or for the acknowledgement, exercise or defense of a right within a judicial proceeding.

12. INDIVIDUAL OR AREA RESPONSIBLE FOR THE PROTECTION OF PERSONAL DATA
The Office of the Managerial and Income Optimization Vice-President shall be responsible for the enforcement of the Policy herein inside GLOBAL INVERSIONES HOTELERAS S.A.S. and shall process every request by the Holders. If you need extra information you contact us to atencionalcliente@movichhotels.com exercising the rights as provided for Law 1581 of 2012, Decree 1377 of 2013 and the Policy herein.

13. TEMPORALITY OF PERSONAL DATA
The permanence of Personal Data in the information systems of GLOBAL INVERSIONES HOTELERAS S.A.S. shall be determined by the purposes of Processing. Upon termination of said purpose, unless any other obligation to keep for a longer period is imposed by law, the Document Retention Table shall be considered by the area responsible for processing such data, in accordance with the POPP- 006-VV document management policy.

14. INFORMATION SECURITY
The guarantees and reserve imposed by the Political Constitution of Colombia, the norms on the protection of personal data and any other concordant and complementary norms shall be complied with when processing data. For such purposes, GLOBAL INVERSIONES HOTELERAS S.A.S. has adopted the legal required levels of security for the protection of personal data, thus installing the technical and organizational measures needed to prevent any loss, misuse, tampering with, check, non-authorized or fraudulent use or access or robbery of the data received.

GLOBAL INVERSIONES HOTELERAS S.A.S. will not be held responsible for any consequence resulting from the unlawful access of third parties to its websites or for any technical failure in their functioning. Likewise, GLOBAL INVERSIONES HOTELERAS S.A.S. does not assume any responsibility for inaccurate data or typographic mistakes that the contents uploaded to the network by the website administrator may display.

15. HELP DESK
The User of the information delivered, at any time, may exercise its rights as provided for by Article 8 of Law 1581 of 2012, within which the following are included: requesting information; knowing, updating, rectifying and requesting the suppression of its personal data; and requesting proof of the authorization granted and revoking the same. Notwithstanding the aforementioned, personal data shall be kept where required to comply with a legal or contractual obligation, as provided for by Law 1581 of 2012, its regulatory decrees and any other norms which complement or amend the same.

The User who does not desire to be contacted after delivering his/her information or personal data, must:

1. Express such decision when filling up the data collection forms.
2. When receiving information via e-mail, he/she may unsubscribe from the contact list by clicking on the safe subscription link, which is clearly highlighted.
3. Expressly request his/her decision of not receiving any further information by e-mail to atencionalcliente@movichhotels.com, under the subject: “cancel subscription”.

The Customer Service Area is responsible for channeling any requests on data protection within Movich Hotels and it is also responsible for personally assisting every User and Holder of information.

16. INFORMATION OF THE RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA
Name: GLOBAL INVERSIONES HOTELERAS S.A.S.
Nit: 900.522.845 -1,
Adress: Av Calle 26 # 59 -15 floor 9, Bogotá
Email: atencionalcliente@movichhotels.com

This policy was updated on April 23, 2019.

GLOBAL OPERADORA HOTELERA S.A.S. PERSONAL DATA PROTECTION POLICY

1. PURPOSE:
The promotion by GLOBAL OPERADORA HOTELERA S.A.S., holder of Tax Identification Number 900.521.807-7, of the correct Personal Data Processing, in compliance of Law 1581 of 2012 “Through which general provisions for the protection of personal data were established” and Decree 1377 of 2013, “Through which Law 1581 of 2012 is partially regulated”
Whereas, GLOBAL OPERADORA HOTELERA S.A.S. prepared the Personal Data Processing Policy herein, which is mandatory for all its receivers.

2. SCOPE: 
The policy herein shall be applied to the Personal Data Processing conducted within the Colombian territory, or, when the Norm is applicable to the Responsible for and/or Assigned outside the Colombian territory, in virtue of international treaties, contracts, or the like.

The principles and provisions included herein shall apply to the Data Bases which hold information of personal nature and which are kept under the custody of GLOBAL OPERADORA HOTELERA S.A.S., whether as Responsible and/or as Assigned to such Processing.

Every organizational process of GLOBAL OPERADORA HOTELERA S.A.S. which involves Personal Data Processing shall be governed by the provisions herein.

3. OFFICIALS RESPONSIBLE FOR THE POLICY 
This is a mandatory policy and the following people must fully abide by it:

• Legal Representatives of GLOBAL OPERADORA HOTELERA S.A.S.
• Workers of GLOBAL OPERADORA HOTELERA S.A.S.
• Contractors and third parties who act on behalf of GLOBAL OPERADORA HOTELERA S.A.S. or who provide their personal services to GLOBAL OPERADORA HOTELERA S.A.S. under any type of contract in virtue of which there is Personal Data Processing.
• Shareholders and Statutory Auditors.
• Any other person as provided for by law.
The breach to this Policy shall result in labor, criminal or civil penalties, as applicable.

4. DEFINITIONS: 
Under the regulations in force on the matter, the following definitions are adopted:

Holder: individual whose Personal Data are being processed.
Authorization: Prior, special and informed consent to perform Personal Data Processing
Data Base: organized set of Personal Data subject to Processing.
Personal datum: Any piece of information which is or may be connected to one or more determined or capable of being determined individuals
Public datum: any piece of information which is not of a private, semiprivate or sensitive in nature. The following are considered as public data: civil status, profession or occupation and the quality as trader or public servant of an individual. As per their nature, public data may be included in public records, public documents, journals and official newsletters and executed judicial rulings not subject to a reserved status.
Sensitive Data:  Understood as those that have an impact on the intimacy of the holder or whose inadequate use may cause discrimination, such as those that reveal racial or ethnical origin, political affiliation, religious or philosophical convictions, belonging to trade unions, social organizations, or human rights or which promote the interests of any political party or which guarantee the rights and guarantees of opposing political parties, as well as those connected to health, sexual orientation and biometrical data.
Assigned to processing: Natural or juridical, public or private person, who individually or collectively conducts Personal Data Processing on behalf of the person Responsible for processing.
Responsible for Processing: individual or juridical entity, of private or public nature which, by itself or by association with others, is capable of making decisions on the Data Base and/or data Processing of Personal Data.
Processing: Any operation or set of operations connected to Personal Data, such as collection, storage, use, disclosure or suppression
Transfer: A transfer takes place when the Responsible for or the Assigned to Personal Data Processing, located in Colombia, sends information or Personal Data to a receiver, who is in turn the Responsible for Processing and who is located within the national territory or abroad.
Transmission: Personal Data Processing which implies the communication of the same within or outside the territory of the Republic of Colombia if the purpose of such communication is to perform Data Processing by the Assignee on behalf of the Responsible.
Privacy Notice: Any verbal or written communication issued by the Responsible for Processing, addressed to the Holder in order to perform Personal Data Processing, through which the existence and application of Data Processing and the access and use given to Personal Data are informed.

5. PRINCIPLES 
Under the provisions of the regulations in force on the matter, the following principles are adopted:

• Legitimacy in terms of Personal Data Processing: Personal Data Processing in Colombia is a regulated activity and therefore, the business processes and the audiences of the norm must abide by the same.
• Freedom: Data Processing can only be conducted under prior, express and informed consent from the Holder. Personal Data may not be obtained, processed or disclosed without prior consent, or in absence of a legal or judicial mandate to relief such consent.
• Purpose: Data Processing must have a legitime purpose under the Constitution and the Law, which must be informed to the holder in an express, accurate and previous manner for him/her to express his/her informed consent.
• Truthfulness or Quality: Data subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. Personal Data Processing on partial, incomplete, fractioned or misleading data is forbidden.
• Transparency: The Data Processing process, must guarantee at all times that the right of the Holder to receive, without limitation, information about the existence of data of interest from the Responsible for or Assigned to Processing.
• Access and Restricted Disclosure: Data Processing is subject to the limits derived from the nature of the Personal Data, as provided for by the Constitution and the Law. To this sense, Data Processing may only be conducted by those individuals authorized by the Holder and/or any other individual as provided for by law.
• Personal Data, except for public data, may not be made available through the Internet or any other mass media, except if access to such data is technically controllable to provide restricted knowledge only to the Holders or authorized third parties, as set forth herein.
• Security: Any data subject to processing by the Responsible for or the Assigned to Processing, as provided for by law, must be handled under the technical, human and administrative measures needed to provide enough security to the records, thus avoiding tampering with, loss, check, non-authorized or fraudulent use of the same.
• Confidentiality: Every individual involved in processing data which is not of public nature is compelled to guarantee that the information is kept as reserved, even upon termination of any of the tasks including in the Data Processing process, while only being able of providing or disclosing any Personal Data in an event connected to the development of authorized by law activities under the provisions thereof.

6. DUTIES OF THE RECEIVERS OF THE POLICY
The duties of the receivers of the Policy herein are described below, without prejudice to any additional duty imposed under Law 1581 of 2012 and Decree 1377 of 2013:

6.1 DUTIES OF THE INDIVIDUALS RESPONSIBLE FOR PROCESSING PERSONAL DATA
a.  To guarantee the Holder the full and effective exercise of the habeas data right, to wit: knowing, updating or correcting his/her personal data at any time.
b. To require and keep, under the conditions set forth herein, a copy of the corresponding Authorization granted by the Holder.
c. To inform the Holder of the Personal Data in a clear, sufficient and previous manner the purpose of the information provided.
d. To solely collect those Persona Data relevant and adequate for the purpose intended as the same are collected.
e. To process any check or claim submitted under the terms set forth herein.
f. To comply with the principles set forth herein.
g. To keep the information under the necessary security conditions as to prevent any tampering with, loss, check, or non-authorized use or access to such information.
h. To update the information, by timely communicating the person Assigned to Processing, any news regarding the Personal Data which could have been previously delivered and to adopt any necessary measures to keep the provided information updated.
i. To correct any inaccurate information and, if relevant, transfer such correction to the Assigned to Processing.
j. To provide the Assigned to Processing, as applicable, only the Personal Data whose Processing has been previously authorized.
k. To require the person Assigned to Processing to abide, at all times, by the security and privacy conditions of the information of the Holder.
l. To process any check or claim submitted under the terms provided for herein.
m. To implement an internal policy and procedures manual to guarantee the correct Processing of Personal Data under the provisions applicable and any instructions given on the matter by the Superintendence of Industry and Trade.
n. To inform the Assigned to Processing when any given information is subject to discussion by the Holder, once the claim has been submitted and the corresponding procedures has not concluded.
o. To inform, as per request of the Holder, of the use given to his/her Personal Data.
p. To inform the Personal Data authority of any breach to the security codes and if there is any risk regarding the management of the information of the Holders.
q. To comply with the instructions and requirements given by the Superintendence of Industry and Trade.

6.2 DUTIES OF THE ASSIGNED TO DATA PROCESSING
a. To guarantee the Holder, at all times, the full and effective exercise of the habeas data right.
b. To keep the information under the necessary security conditions as to prevent tampering with, loss, check, or non-authorized or fraudulent use or access to.
c. To update, correct or remove Personal Data as set forth by Law.
d. To update the information reported by those Responsible for Processing within five (5) business days from the date received.
e. To process any check or claim submitted by the Holders
f. To implement an internal policy and procedures manual to guarantee the correct Processing of Personal Data under the provisions applicable and any instructions given on the matter by the Superintendence of Industry and Trade.
g. To record within the Data Base the wording “claim in progress” as provided for by Law.
h. To include in the Data Base the wording “information under judicial discussion” upon receiving notice by the competent authority on any judicial proceeding regarding the quality of any Personal Datum.
i. To refrain from disclosing any information under controversy by the Holder and whose blockage has been ordered by the Superintendence of Industry and Trade.
j. To allow access to the information only for those people who hold clearance to access the same.
k. To inform the Superintendence of Industry and Trade in the event of any breach to the security codes and if there is any risk regarding the management of the information of the Holders.
l. To comply with the instructions and requirements given by the Superintendence of Industry and Trade.

7. RIGHTS OF THE HOLDERS OF PESONAL DATA 
a. To know, update and correct its own Personal Data before those Responsible for Processing or Assigned to Processing. This right may be exercised, among others, regarding partial, inaccurate, incomplete, fractioned, misleading or any other data whose Processing is expressly forbidden or which has not been authorized.
b. To require proof of the authorization granted to the Responsible for Processing except when expressly exempt as a requirement for Processing (any event in which such Authorization is not needed).
c. To be informed by the Responsible for Processing or the Assigned to Processing, as per previous request, regarding the use given to his/her Personal Data.
d. To submit before the Superintendence of Industry and Trade any claim due to breach to the provisions set forth herein and any other norm that amend, add or complement the same.
e. To cancel the Authorization and/or request the removal of the Personal Datum when the constitutional and legal principles, rights and guarantees are not complied with during Processing.
f. To freely access its Personal Data subject to Processing

8. LEGITIMACY FOR EXERCISING THE RIGHTS OF THE HOLDER
The rights of the holders may be exercised by the following individuals:

a. By the Holder, who must credit his/her identity in an adequate manner through the different media made available by the Responsible for Processing.
b. By the successors and assigns of the Holder who must credit such capacity.
c. By the representative and/or proxy of the Holder, under previous crediting of such representation or proxy.
d. By stipulation in favor of or to a third party.
e. The rights of minors, boys and girls, and adolescents shall be exercised by the individuals capable of representing them.

9. PEOPLE WHO MAY RECIEVE INFORMATION OF THE HOLDER OF PERSONAL DATA.
a. Any Holder, their successors or representatives;
b. Any public or administrative entity while exercising their legal duties or under a judicial order;
c. Any third party if authorized by the Holder or the Law.

10.  PURPOSE OF PROCESSING
In compliance of the Principle of Purpose, Personal Data Processing by GLOBAL OPERADORA HOTELERA S.A.S., as Responsible or Assigned of the same, shall be ruled by the following parameters:

10.1        PERSONAL DATA CONNECTED TO HUMAN RESOURCES MANAGEMENT.

a.   Before subscribing a contract.
GLOBAL OPERADORA HOTELERA S.A.S. collects, stores, reads, uses and processes information and Personal Data of any candidate to employee, by informing in advance the rules applicable to any Personal Data provided subject to Processing. In any case, the purpose of delivering Personal Data is limited to participating in the recruitment process and subsequent traceability, and therefore any other use is strictly forbidden.

The information submitted by the candidates to a vacant position in GLOBAL OPERADORA HOTELERA S.A.S., shall be kept in storage for a five (5) year period from the date of the last Processing, to comply with the applicable administrative, accounting, fiscal, juridical and historical provisions in force on such information and any other legal requirement.

The Personal Data and information obtained from the recruitment process regarding the selected workers or contractors, shall be stored by GLOBAL OPERADORA HOTELERA S.A.S. under strict security measures.

b. During and upon termination of the contract.
GLOBAL OPERADORA HOTELERA S.A.S. collects, stores, checks, uses, shares, interchanges, transfers, discloses and process the personal information provided by its employees with the purpose of executing and developing the labor contract, and applying the legislation, jurisprudence and regulations in legal, social security, occupational risks grounds, granting benefits to the employee and its beneficiaries and for any other purpose needed for the correct development of the employee – employer relationship. Likewise, GLOBAL OPERADORA HOTELERA S.A.S. collects, uses, shares, interchanges, sends, transfers, discloses and processes information and Personal Data of removed or retired employees, retirees or pensioners, bonded third parties, family group, beneficiaries and any other individual who has or has had an employment contract with GLOBAL OPERADORA HOTELERA S.A.S.
GLOBAL OPERADORA HOTELERA S.A.S. shall store the Personal Data of its employees under a dossier identified with the full name of each one of them. Access to such dossier is limited to the Human Resources Management Area and the Legal Area of GLOBAL OPERADORA HOTELERA S.A.S., with the only purpose of managing the contractual relationship.

Such information shall be kept in storage, physically or through electronic means, as provided for by Article 264 of the Substantive Labor Code, or kept for the maximum term needed to comply with the legal or contractual obligations imposed to us, in particular, any accounting, contractual, fiscal or tax obligation.

10.2 PROVIDERS’ PERSONAL DATA.

GLOBAL OPERADORA HOTELERA S.A.S. collects, stores, checks, uses, shares, interchanges, transfers, discloses and process the personal information provided by its providers which has been supplied as part of the procurement process of any goods or services delivered to GLOBAL OPERADORA HOTELERA S.A.S., before, during or after the contractual relationship.

GLOBAL OPERADORA HOTELERA S.A.S. shall collect the Personal Data of the employees of the provider, whenever such data is needed for security reasons according to the nature of the contracted service.

10.3 CLIENTS’ PERSONAL DATA
a. Processing and verification of any information needed to process reservations in the Movich Hotels & Resorts chain.
b. Updating or correcting information during the stay in the hotels of the Movich Hotels & Resorts chain.
c. Offering, subscribing and executing accommodation contracts and any other service connected to the travel experience of the guest of the Movich Hotels & Resorts chain.
d. Offering, subscribing and executing banquet and hall rental contracts with the facilities of the Movich Hotels & Resorts chain.
e. Controlling and preventing fraud, asset laundering and financing of terrorism.
f. Preparing marketing and statistics studies.
g. Sending out information or offering services connected to the social purpose of GLOBAL OPERADORA HOTELERA S.A.S.
h. Sending out offers and/or commercial or services communications to the street address or e-mail included in the data recording forms filled up by the guest.
i. Contacting the guest by telephone, to notify offers and/or commercial or service communications
j. Sending out satisfaction surveys to learn about the quality of the serviced delivered by GLOBAL OPERADORA HOTELERA S.A.S.

In the event of collecting data in virtue of the Movich Dreams loyalty program, Personal Data of the associates shall be additionally processed for the following purposes

a. Operating the Movich Dreams program.
b. Identifying the associate and keeping open communication with him/her, including but not limited to sending information on accumulation or redemption transactions on his/her account and sending any other hard copy or electronic mail.
c. Crediting the points from the Movich Dreams program to the associate’s account.
d. Allowing the associate to redeem points for nights in participating hotels.
e. Enabling the associate to receive the benefits redeemed through his/her points.
f. Keeping updated and backed-up the points balance of the associate’s account.
g. Sending offers and/or communications to the associate based upon his/her likes and preferences or previous behavior.
h. Subcontracting third parties in the capacity of Assignees of Personal Data for them to process the information of the associates and/or conduct any other activity as required by Movich Dreams and/or the hotels regarding the Movich Dreams program.

The Holder of Personal Data and/or sensitive data hereby authorizes GLOBAL OPERADORA HOTELERA S.A.S. to transfer its personal information to its headquarters, subsidiaries and affiliates, as well as to any other company pertaining to the Movich Hotels & Resorts Hotel Chain.

10.4.   PERSONAL DATA OF THE COMMUNITY IN GENERAL.
The collection of Personal Data from individuals conducted by GLOBAL OPERADORA HOTELERA S.A.S. to develop its corporate purpose shall abide by the provisions set forth herein.

11. INTERNATIONAL TRANSFER OF PRESONAL DATA 
The Transfer of Personal Data to countries which do not provide adequate levels of protection of Personal Data is forbidden. A country shall be deemed as safe if it complies with the standards determined by the Superintendence of Industry and Trade.

Notwithstanding the aforementioned, as an exception, transfer shall be allowed in the following cases:

• The Holder of the Personal Datum has expressly and clearly authorized such transfer
• Banking or Stock Exchange transfer, as provided for by the applicable law.
• Transfers agreed to under the framework of international treaties of which Colombia is a party, based upon the reciprocity principle.
• Transfers needed for the execution of a contract between the Holder and the Responsible for Processing
• Lawfully required transfers to safeguard public interest or for the acknowledgement, exercise or defense of a right within a judicial proceeding.

12. INDIVIDUAL OR AREA RESPONSIBLE FOR THE PROTECTION OF PERSONAL DATA
The Office of the Managerial and Income Optimization Vice-President shall be responsible for the enforcement of the Policy herein inside GLOBAL OPERADORA HOTELERA S.A.S. and shall process every request by the Holders. If you need extra information you contact us to atencionalcliente@movichhotels.com exercising the rights as provided for Law 1581 of 2012, Decree 1377 of 2013 and the Policy herein.

13. TEMPORALITY OF PERSONAL DATA
The permanence of Personal Data in the information systems of GLOBAL OPERADORA HOTELERA S.A.S. shall be determined by the purposes of Processing. Upon termination of said purpose, unless any other obligation to keep for a longer period is imposed by law, the Document Retention Table shall be considered by the area responsible for processing such data, in accordance with the POPP- 006-VV document management policy.

14. INFORMATION SECURITY
The guarantees and reserve imposed by the Political Constitution of Colombia, the norms on the protection of personal data and any other concordant and complementary norms shall be complied with when processing data. For such purposes, GLOBAL OPERADORA HOTELERA S.A.S. has adopted the legal required levels of security for the protection of personal data, thus installing the technical and organizational measures needed to prevent any loss, misuse, tampering with, check, non-authorized or fraudulent use or access or robbery of the data received.

GLOBAL OPERADORA HOTELERA S.A.S. will not be held responsible for any consequence resulting from the unlawful access of third parties to its websites or for any technical failure in their functioning. Likewise, GLOBAL OPERADORA HOTELERA S.A.S. does not assume any responsibility for inaccurate data or typographic mistakes that the contents uploaded to the network by the website administrator may display.

15. HELP DESK
The User of the information delivered, at any time, may exercise its rights as provided for by Article 8 of Law 1581 of 2012, within which the following are included: requesting information; knowing, updating, rectifying and requesting the suppression of its personal data; and requesting proof of the authorization granted and revoking the same. Notwithstanding the aforementioned, personal data shall be kept where required to comply with a legal or contractual obligation, as provided for by Law 1581 of 2012, its regulatory decrees and any other norms which complement or amend the same.

The User who does not desire to be contacted after delivering his/her information or personal data, must:

1. Express such decision when filling up the data collection forms.
2. When receiving information via e-mail, he/she may unsubscribe from the contact list by clicking on the safe subscription link, which is clearly highlighted.
3. Expressly request his/her decision of not receiving any further information by e-mail to atencionalcliente@movichhotels.com, under the subject: “cancel subscription”.
The Customer Service Area is responsible for channeling any requests on data protection within Movich Hotels and it is also responsible for personally assisting every User and Holder of information.

16. INFORMATION OF THE RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA
Name: GLOBAL OPERADORA HOTELERA S.A.S.
Nit: 900.521.807-7,
Adress: Av Calle 26 # 102 -20 Buró 26, floor 1
Email: atencionalcliente@movichhotels.com

This policy was updated on July 24, 2019.

HOTEL DE PEREIRA S.A. PERSONAL DATA PROTECTION POLICY

1. PURPOSE:
The promotion by HOTEL DE PEREIRA S.A., holder of Tax Identification Number 891.408.848-4, of the correct Personal Data Processing, in compliance of Law 1581 of 2012 “Through which general provisions for the protection of personal data were established” and Decree 1377 of 2013, “Through which Law 1581 of 2012 is partially regulated”
Whereas, HOTEL DE PEREIRA S.A. prepared the Personal Data Processing Policy herein, which is mandatory for all its receivers.

2. SCOPE: 
The policy herein shall be applied to the Personal Data Processing conducted within the Colombian territory, or, when the Norm is applicable to the Responsible for and/or Assigned outside the Colombian territory, in virtue of international treaties, contracts, or the like.

The principles and provisions included herein shall apply to the Data Bases which hold information of personal nature and which are kept under the custody of HOTEL DE PEREIRA S.A., whether as Responsible and/or as Assigned to such Processing.
Every organizational process of HOTEL DE PEREIRA S.A. which involves Personal Data Processing shall be governed by the provisions herein.

3. OFFICIALS RESPONSIBLE FOR THE POLICY 
This is a mandatory policy and the following people must fully abide by it:

• Legal Representatives of HOTEL DE PEREIRA S.A.
• Workers of HOTEL DE PEREIRA S.A.
• Contractors and third parties who act on behalf of HOTEL DE PEREIRA S.A. or who provide their personal services to HOTEL DE PEREIRA S.A. under any type of contract in virtue of which there is Personal Data Processing.
• Shareholders and Statutory Auditors.
• Any other person as provided for by law.
The breach to this Policy shall result in labor, criminal or civil penalties, as applicable.

4. DEFINITIONS: 
Under the regulations in force on the matter, the following definitions are adopted:

Holder: individual whose Personal Data are being processed.
Authorization: Prior, special and informed consent to perform Personal Data Processing
Data Base: organized set of Personal Data subject to Processing.
Personal datum: Any piece of information which is or may be connected to one or more determined or capable of being determined individuals
Public datum: any piece of information which is not of a private, semiprivate or sensitive in nature. The following are considered as public data: civil status, profession or occupation and the quality as trader or public servant of an individual. As per their nature, public data may be included in public records, public documents, journals and official newsletters and executed judicial rulings not subject to a reserved status.
Sensitive Data:  Understood as those that have an impact on the intimacy of the holder or whose inadequate use may cause discrimination, such as those that reveal racial or ethnical origin, political affiliation, religious or philosophical convictions, belonging to trade unions, social organizations, or human rights or which promote the interests of any political party or which guarantee the rights and guarantees of opposing political parties, as well as those connected to health, sexual orientation and biometrical data.
Assigned to processing: Natural or juridical, public or private person, who individually or collectively conducts Personal Data Processing on behalf of the person Responsible for processing.
Responsible for Processing: individual or juridical entity, of private or public nature which, by itself or by association with others, is capable of making decisions on the Data Base and/or data Processing of Personal Data.
Processing: Any operation or set of operations connected to Personal Data, such as collection, storage, use, disclosure or suppression
Transfer: A transfer takes place when the Responsible for or the Assigned to Personal Data Processing, located in Colombia, sends information or Personal Data to a receiver, who is in turn the Responsible for Processing and who is located within the national territory or abroad.
Transmission: Personal Data Processing which implies the communication of the same within or outside the territory of the Republic of Colombia if the purpose of such communication is to perform Data Processing by the Assignee on behalf of the Responsible.
Privacy Notice: Any verbal or written communication issued by the Responsible for Processing, addressed to the Holder in order to perform Personal Data Processing, through which the existence and application of Data Processing and the access and use given to Personal Data are informed.

5. PRINCIPLES 
Under the provisions of the regulations in force on the matter, the following principles are adopted:

• Legitimacy in terms of Personal Data Processing: Personal Data Processing in Colombia is a regulated activity and therefore, the business processes and the audiences of the norm must abide by the same.
• Freedom: Data Processing can only be conducted under prior, express and informed consent from the Holder. Personal Data may not be obtained, processed or disclosed without prior consent, or in absence of a legal or judicial mandate to relief such consent.
• Purpose: Data Processing must have a legitime purpose under the Constitution and the Law, which must be informed to the holder in an express, accurate and previous manner for him/her to express his/her informed consent.
• Truthfulness or Quality: Data subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. Personal Data Processing on partial, incomplete, fractioned or misleading data is forbidden.
• Transparency: The Data Processing process, must guarantee at all times that the right of the Holder to receive, without limitation, information about the existence of data of interest from the Responsible for or Assigned to Processing.
• Access and Restricted Disclosure: Data Processing is subject to the limits derived from the nature of the Personal Data, as provided for by the Constitution and the Law. To this sense, Data Processing may only be conducted by those individuals authorized by the Holder and/or any other individual as provided for by law.
• Personal Data, except for public data, may not be made available through the Internet or any other mass media, except if access to such data is technically controllable to provide restricted knowledge only to the Holders or authorized third parties, as set forth herein.
• Security: Any data subject to processing by the Responsible for or the Assigned to Processing, as provided for by law, must be handled under the technical, human and administrative measures needed to provide enough security to the records, thus avoiding tampering with, loss, check, non-authorized or fraudulent use of the same.
• Confidentiality: Every individual involved in processing data which is not of public nature is compelled to guarantee that the information is kept as reserved, even upon termination of any of the tasks including in the Data Processing process, while only being able of providing or disclosing any Personal Data in an event connected to the development of authorized by law activities under the provisions thereof.

6. DUTIES OF THE RECEIVERS OF THE POLICY
The duties of the receivers of the Policy herein are described below, without prejudice to any additional duty imposed under Law 1581 of 2012 and Decree 1377 of 2013:

6.1 DUTIES OF THE INDIVIDUALS RESPONSIBLE FOR PROCESSING PERSONAL DATA
a.  To guarantee the Holder the full and effective exercise of the habeas data right, to wit: knowing, updating or correcting his/her personal data at any time.
b. To require and keep, under the conditions set forth herein, a copy of the corresponding Authorization granted by the Holder.
c. To inform the Holder of the Personal Data in a clear, sufficient and previous manner the purpose of the information provided.
d. To solely collect those Persona Data relevant and adequate for the purpose intended as the same are collected.
e. To process any check or claim submitted under the terms set forth herein.
f. To comply with the principles set forth herein.
g. To keep the information under the necessary security conditions as to prevent any tampering with, loss, check, or non-authorized use or access to such information.
h. To update the information, by timely communicating the person Assigned to Processing, any news regarding the Personal Data which could have been previously delivered and to adopt any necessary measures to keep the provided information updated.
i. To correct any inaccurate information and, if relevant, transfer such correction to the Assigned to Processing.
j. To provide the Assigned to Processing, as applicable, only the Personal Data whose Processing has been previously authorized.
k. To require the person Assigned to Processing to abide, at all times, by the security and privacy conditions of the information of the Holder.
l. To process any check or claim submitted under the terms provided for herein.
m. To implement an internal policy and procedures manual to guarantee the correct Processing of Personal Data under the provisions applicable and any instructions given on the matter by the Superintendence of Industry and Trade.
n. To inform the Assigned to Processing when any given information is subject to discussion by the Holder, once the claim has been submitted and the corresponding procedures has not concluded.
o. To inform, as per request of the Holder, of the use given to his/her Personal Data.
p. To inform the Personal Data authority of any breach to the security codes and if there is any risk regarding the management of the information of the Holders.
q. To comply with the instructions and requirements given by the Superintendence of Industry and Trade.

6.2 DUTIES OF THE ASSIGNED TO DATA PROCESSING
a. To guarantee the Holder, at all times, the full and effective exercise of the habeas data right.
b. To keep the information under the necessary security conditions as to prevent tampering with, loss, check, or non-authorized or fraudulent use or access to.
c. To update, correct or remove Personal Data as set forth by Law.
d. To update the information reported by those Responsible for Processing within five (5) business days from the date received.
e. To process any check or claim submitted by the Holders
f. To implement an internal policy and procedures manual to guarantee the correct Processing of Personal Data under the provisions applicable and any instructions given on the matter by the Superintendence of Industry and Trade.
g. To record within the Data Base the wording “claim in progress” as provided for by Law.
h. To include in the Data Base the wording “information under judicial discussion” upon receiving notice by the competent authority on any judicial proceeding regarding the quality of any Personal Datum.
i.To refrain from disclosing any information under controversy by the Holder and whose blockage has been ordered by the Superintendence of Industry and Trade.
j. To allow access to the information only for those people who hold clearance to access the same.
k. To inform the Superintendence of Industry and Trade in the event of any breach to the security codes and if there is any risk regarding the management of the information of the Holders.
l. To comply with the instructions and requirements given by the Superintendence of Industry and Trade.

7. RIGHTS OF THE HOLDERS OF PESONAL DATA 
a. To know, update and correct its own Personal Data before those Responsible for Processing or Assigned to Processing. This right may be exercised, among others, regarding partial, inaccurate, incomplete, fractioned, misleading or any other data whose Processing is expressly forbidden or which has not been authorized.
b. To require proof of the authorization granted to the Responsible for Processing except when expressly exempt as a requirement for Processing (any event in which such Authorization is not needed).
c. To be informed by the Responsible for Processing or the Assigned to Processing, as per previous request, regarding the use given to his/her Personal Data.
d. To submit before the Superintendence of Industry and Trade any claim due to breach to the provisions set forth herein and any other norm that amend, add or complement the same.
e. To cancel the Authorization and/or request the removal of the Personal Datum when the constitutional and legal principles, rights and guarantees are not complied with during Processing.
f. To freely access its Personal Data subject to Processing

8. LEGITIMACY FOR EXERCISING THE RIGHTS OF THE HOLDER
The rights of the holders may be exercised by the following individuals:

a. By the Holder, who must credit his/her identity in an adequate manner through the different media made available by the Responsible for Processing.
b. By the successors and assigns of the Holder who must credit such capacity.
c. By the representative and/or proxy of the Holder, under previous crediting of such representation or proxy.
d. By stipulation in favor of or to a third party.
e. The rights of minors, boys and girls, and adolescents shall be exercised by the individuals capable of representing them.

9. PEOPLE WHO MAY RECIEVE INFORMATION OF THE HOLDER OF PERSONAL DATA.
a. Any Holder, their successors or representatives;
b. Any public or administrative entity while exercising their legal duties or under a judicial order;
c. Any third party if authorized by the Holder or the Law.

10.  PURPOSE OF PROCESSING
In compliance of the Principle of Purpose, Personal Data Processing by HOTEL DE PEREIRA S.A., as Responsible or Assigned of the same, shall be ruled by the following parameters:

10.1        PERSONAL DATA CONNECTED TO HUMAN RESOURCES MANAGEMENT.

a.   Before subscribing a contract.
HOTEL DE PEREIRA S.A. collects, stores, reads, uses and processes information and Personal Data of any candidate to employee, by informing in advance the rules applicable to any Personal Data provided subject to Processing. In any case, the purpose of delivering Personal Data is limited to participating in the recruitment process and subsequent traceability, and therefore any other use is strictly forbidden.

The information submitted by the candidates to a vacant position in HOTEL DE PEREIRA S.A., shall be kept in storage for a five (5) year period from the date of the last Processing, to comply with the applicable administrative, accounting, fiscal, juridical and historical provisions in force on such information and any other legal requirement.

The Personal Data and information obtained from the recruitment process regarding the selected workers or contractors, shall be stored by HOTEL DE PEREIRA S.A. under strict security measures.

b. During and upon termination of the contract.
HOTEL DE PEREIRA S.A. collects, stores, checks, uses, shares, interchanges, transfers, discloses and process the personal information provided by its employees with the purpose of executing and developing the labor contract, and applying the legislation, jurisprudence and regulations in legal, social security, occupational risks grounds, granting benefits to the employee and its beneficiaries and for any other purpose needed for the correct development of the employee – employer relationship. Likewise, HOTEL DE PEREIRA S.A. collects, uses, shares, interchanges, sends, transfers, discloses and processes information and Personal Data of removed or retired employees, retirees or pensioners, bonded third parties, family group, beneficiaries and any other individual who has or has had an employment contract with HOTEL DE PEREIRA S.A.

HOTEL DE PEREIRA S.A. shall store the Personal Data of its employees under a dossier identified with the full name of each one of them. Access to such dossier is limited to the Human Resources Management Area and the Legal Area of HOTEL DE PEREIRA S.A., with the only purpose of managing the contractual relationship.

Such information shall be kept in storage, physically or through electronic means, as provided for by Article 264 of the Substantive Labor Code, or kept for the maximum term needed to comply with the legal or contractual obligations imposed to us, in particular, any accounting, contractual, fiscal or tax obligation.

10.2 PROVIDERS’ PERSONAL DATA.
HOTEL DE PEREIRA S.A. collects, stores, checks, uses, shares, interchanges, transfers, discloses and process the personal information provided by its providers which has been supplied as part of the procurement process of any goods or services delivered to HOTEL DE PEREIRA S.A., before, during or after the contractual relationship.

HOTEL DE PEREIRA S.A. shall collect the Personal Data of the employees of the provider, whenever such data is needed for security reasons according to the nature of the contracted service.

10.3 CLIENTS’ PERSONAL DATA
a. Processing and verification of any information needed to process reservations in the Movich Hotels & Resorts chain.
b. Updating or correcting information during the stay in the hotels of the Movich Hotels & Resorts chain.
c. Offering, subscribing and executing accommodation contracts and any other service connected to the travel experience of the guest of the Movich Hotels & Resorts chain.
d. Offering, subscribing and executing banquet and hall rental contracts with the facilities of the Movich Hotels & Resorts chain.
e. Controlling and preventing fraud, asset laundering and financing of terrorism.
f. Preparing marketing and statistics studies.
g. Sending out information or offering services connected to the social purpose of HOTEL DE PEREIRA S.A.
h. Sending out offers and/or commercial or services communications to the street address or e-mail included in the data recording forms filled up by the guest.
i. Contacting the guest by telephone, to notify offers and/or commercial or service communications
j. Sending out satisfaction surveys to learn about the quality of the serviced delivered by HOTEL DE PEREIRA S.A.

In the event of collecting data in virtue of the Movich Dreams loyalty program, Personal Data of the associates shall be additionally processed for the following purposes.

a. Operating the Movich Dreams program.
b. Identifying the associate and keeping open communication with him/her, including but not limited to sending information on accumulation or redemption transactions on his/her account and sending any other hard copy or electronic mail.
c. Crediting the points from the Movich Dreams program to the associate’s account.
d. Allowing the associate to redeem points for nights in participating hotels.
e. Enabling the associate to receive the benefits redeemed through his/her points.
f. Keeping updated and backed-up the points balance of the associate’s account.
g. Sending offers and/or communications to the associate based upon his/her likes and preferences or previous behavior.
h. Subcontracting third parties in the capacity of Assignees of Personal Data for them to process the information of the associates and/or conduct any other activity as required by Movich Dreams and/or the hotels regarding the Movich Dreams program.

The Holder of Personal Data and/or sensitive data hereby authorizes HOTEL DE PEREIRA S.A. to transfer its personal information to its headquarters, subsidiaries and affiliates, as well as to any other company pertaining to the Movich Hotels & Resorts Hotel Chain.

10.4.   PERSONAL DATA OF THE COMMUNITY IN GENERAL.
The collection of Personal Data from individuals conducted by HOTEL DE PEREIRA S.A. to develop its corporate purpose shall abide by the provisions set forth herein.

11. INTERNATIONAL TRANSFER OF PRESONAL DATA
The Transfer of Personal Data to countries which do not provide adequate levels of protection of Personal Data is forbidden. A country shall be deemed as safe if it complies with the standards determined by the Superintendence of Industry and Trade.
Notwithstanding the aforementioned, as an exception, transfer shall be allowed in the following cases:

• The Holder of the Personal Datum has expressly and clearly authorized such transfer
• Banking or Stock Exchange transfer, as provided for by the applicable law.
• Transfers agreed to under the framework of international treaties of which Colombia is a party, based upon the reciprocity principle.
• Transfers needed for the execution of a contract between the Holder and the Responsible for Processing
• Lawfully required transfers to safeguard public interest or for the acknowledgement, exercise or defense of a right within a judicial proceeding.

12. INDIVIDUAL OR AREA RESPONSIBLE FOR THE PROTECTION OF PERSONAL DATA
The Office of the Managerial and Income Optimization Vice-President shall be responsible for the enforcement of the Policy herein inside HOTEL DE PEREIRA S.A. and shall process every request by the Holders. If you need extra information you contact us to atencionalcliente@movichhotels.com exercising the rights as provided for Law 1581 of 2012, Decree 1377 of 2013 and the Policy herein.

13. TEMPORALITY OF PERSONAL DATA
The permanence of Personal Data in the information systems of HOTEL DE PEREIRA S.A. shall be determined by the purposes of Processing. Upon termination of said purpose, unless any other obligation to keep for a longer period is imposed by law, the Document Retention Table shall be considered by the area responsible for processing such data, in accordance with the POPP- 006-VV document management policy.

14. INFORMATION SECURITY
The guarantees and reserve imposed by the Political Constitution of Colombia, the norms on the protection of personal data and any other concordant and complementary norms shall be complied with when processing data. For such purposes, HOTEL DE PEREIRA S.A. has adopted the legal required levels of security for the protection of personal data, thus installing the technical and organizational measures needed to prevent any loss, misuse, tampering with, check, non-authorized or fraudulent use or access or robbery of the data received.

HOTEL DE PEREIRA S.A. will not be held responsible for any consequence resulting from the unlawful access of third parties to its websites or for any technical failure in their functioning. Likewise, HOTEL DE PEREIRA S.A. does not assume any responsibility for inaccurate data or typographic mistakes that the contents uploaded to the network by the website administrator may display.

15. HELP DESK
The User of the information delivered, at any time, may exercise its rights as provided for by Article 8 of Law 1581 of 2012, within which the following are included: requesting information; knowing, updating, rectifying and requesting the suppression of its personal data; and requesting proof of the authorization granted and revoking the same. Notwithstanding the aforementioned, personal data shall be kept where required to comply with a legal or contractual obligation, as provided for by Law 1581 of 2012, its regulatory decrees and any other norms which complement or amend the same.

The User who does not desire to be contacted after delivering his/her information or personal data, must:

1. Express such decision when filling up the data collection forms.
2. When receiving information via e-mail, he/she may unsubscribe from the contact list by clicking on the safe subscription link, which is clearly highlighted.
3. Expressly request his/her decision of not receiving any further information by e-mail to atencionalcliente@movichhotels.com, under the subject: “cancel subscription”.
The Customer Service Area is responsible for channeling any requests on data protection within Movich Hotels and it is also responsible for personally assisting every User and Holder of information.

16. INFORMATION OF THE RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA
Name: HOTEL DE PEREIRA S.A.
Nit: 891.408.848-4,
Adress: Av Calle 26 # 59 -15, Pereira
Email: atencionalcliente@movichhotels.com

This policy was updated on April 23, 2019.

PROMOTORA DE HOTELES MEDELLIN S.A. PERSONAL DATA PROTECTION POLICY

1. PURPOSE:
The promotion by PROMOTORA DE HOTELES MEDELLIN S.A., holder of Tax Identification Number 890.903.736-7, of the correct Personal Data Processing, in compliance of Law 1581 of 2012 “Through which general provisions for the protection of personal data were established” and Decree 1377 of 2013, “Through which Law 1581 of 2012 is partially regulated”
Whereas, PROMOTORA DE HOTELES MEDELLIN S.A. prepared the Personal Data Processing Policy herein, which is mandatory for all its receivers.

2. SCOPE: 
The policy herein shall be applied to the Personal Data Processing conducted within the Colombian territory, or, when the Norm is applicable to the Responsible for and/or Assigned outside the Colombian territory, in virtue of international treaties, contracts, or the like.

The principles and provisions included herein shall apply to the Data Bases which hold information of personal nature and which are kept under the custody of PROMOTORA DE HOTELES MEDELLIN S.A., whether as Responsible and/or as Assigned to such Processing.

Every organizational process of PROMOTORA DE HOTELES MEDELLIN S.A. which involves Personal Data Processing shall be governed by the provisions herein.

3. OFFICIALS RESPONSIBLE FOR THE POLICY 
This is a mandatory policy and the following people must fully abide by it:

• Legal Representatives of PROMOTORA DE HOTELES MEDELLIN S.A.
• Workers of PROMOTORA DE HOTELES MEDELLIN S.A.
• Contractors and third parties who act on behalf of PROMOTORA DE HOTELES MEDELLIN S.A. or who provide their personal services to PROMOTORA DE HOTELES MEDELLIN S.A. under any type of contract in virtue of which there is Personal Data Processing.
• Shareholders and Statutory Auditors.
• Any other person as provided for by law.

The breach to this Policy shall result in labor, criminal or civil penalties, as applicable.

4. DEFINITIONS: 
Under the regulations in force on the matter, the following definitions are adopted:

Holder: individual whose Personal Data are being processed.
Authorization: Prior, special and informed consent to perform Personal Data Processing
Data Base: organized set of Personal Data subject to Processing.
Personal datum: Any piece of information which is or may be connected to one or more determined or capable of being determined individuals
Public datum: any piece of information which is not of a private, semiprivate or sensitive in nature. The following are considered as public data: civil status, profession or occupation and the quality as trader or public servant of an individual. As per their nature, public data may be included in public records, public documents, journals and official newsletters and executed judicial rulings not subject to a reserved status.
Sensitive Data:  Understood as those that have an impact on the intimacy of the holder or whose inadequate use may cause discrimination, such as those that reveal racial or ethnical origin, political affiliation, religious or philosophical convictions, belonging to trade unions, social organizations, or human rights or which promote the interests of any political party or which guarantee the rights and guarantees of opposing political parties, as well as those connected to health, sexual orientation and biometrical data.
Assigned to processing: Natural or juridical, public or private person, who individually or collectively conducts Personal Data Processing on behalf of the person Responsible for processing.
Responsible for Processing: individual or juridical entity, of private or public nature which, by itself or by association with others, is capable of making decisions on the Data Base and/or data Processing of Personal Data.
Processing: Any operation or set of operations connected to Personal Data, such as collection, storage, use, disclosure or suppression
Transfer: A transfer takes place when the Responsible for or the Assigned to Personal Data Processing, located in Colombia, sends information or Personal Data to a receiver, who is in turn the Responsible for Processing and who is located within the national territory or abroad.
Transmission: Personal Data Processing which implies the communication of the same within or outside the territory of the Republic of Colombia if the purpose of such communication is to perform Data Processing by the Assignee on behalf of the Responsible.
Privacy Notice: Any verbal or written communication issued by the Responsible for Processing, addressed to the Holder in order to perform Personal Data Processing, through which the existence and application of Data Processing and the access and use given to Personal Data are informed.

5. PRINCIPLES 
Under the provisions of the regulations in force on the matter, the following principles are adopted:

• Legitimacy in terms of Personal Data Processing: Personal Data Processing in Colombia is a regulated activity and therefore, the business processes and the audiences of the norm must abide by the same.
• Freedom: Data Processing can only be conducted under prior, express and informed consent from the Holder. Personal Data may not be obtained, processed or disclosed without prior consent, or in absence of a legal or judicial mandate to relief such consent.
• Purpose: Data Processing must have a legitime purpose under the Constitution and the Law, which must be informed to the holder in an express, accurate and previous manner for him/her to express his/her informed consent.
• Truthfulness or Quality: Data subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. Personal Data Processing on partial, incomplete, fractioned or misleading data is forbidden.
• Transparency: The Data Processing process, must guarantee at all times that the right of the Holder to receive, without limitation, information about the existence of data of interest from the Responsible for or Assigned to Processing.
• Access and Restricted Disclosure: Data Processing is subject to the limits derived from the nature of the Personal Data, as provided for by the Constitution and the Law. To this sense, Data Processing may only be conducted by those individuals authorized by the Holder and/or any other individual as provided for by law.
• Personal Data, except for public data, may not be made available through the Internet or any other mass media, except if access to such data is technically controllable to provide restricted knowledge only to the Holders or authorized third parties, as set forth herein.
• Security: Any data subject to processing by the Responsible for or the Assigned to Processing, as provided for by law, must be handled under the technical, human and administrative measures needed to provide enough security to the records, thus avoiding tampering with, loss, check, non-authorized or fraudulent use of the same.
• Confidentiality: Every individual involved in processing data which is not of public nature is compelled to guarantee that the information is kept as reserved, even upon termination of any of the tasks including in the Data Processing process, while only being able of providing or disclosing any Personal Data in an event connected to the development of authorized by law activities under the provisions thereof.

6. DUTIES OF THE RECEIVERS OF THE POLICY
The duties of the receivers of the Policy herein are described below, without prejudice to any additional duty imposed under Law 1581 of 2012 and Decree 1377 of 2013:

6.1 DUTIES OF THE INDIVIDUALS RESPONSIBLE FOR PROCESSING PERSONAL DATA
a.  To guarantee the Holder the full and effective exercise of the habeas data right, to wit: knowing, updating or correcting his/her personal data at any time.
b. To require and keep, under the conditions set forth herein, a copy of the corresponding Authorization granted by the Holder.
c. To inform the Holder of the Personal Data in a clear, sufficient and previous manner the purpose of the information provided.
d. To solely collect those Persona Data relevant and adequate for the purpose intended as the same are collected.
e. To process any check or claim submitted under the terms set forth herein.
f. To comply with the principles set forth herein.
g. To keep the information under the necessary security conditions as to prevent any tampering with, loss, check, or non-authorized use or access to such information.
h. To update the information, by timely communicating the person Assigned to Processing, any news regarding the Personal Data which could have been previously delivered and to adopt any necessary measures to keep the provided information updated.
i. To correct any inaccurate information and, if relevant, transfer such correction to the Assigned to Processing.
j. To provide the Assigned to Processing, as applicable, only the Personal Data whose Processing has been previously authorized.
k. To require the person Assigned to Processing to abide, at all times, by the security and privacy conditions of the information of the Holder.
l. To process any check or claim submitted under the terms provided for herein.
m. To implement an internal policy and procedures manual to guarantee the correct Processing of Personal Data under the provisions applicable and any instructions given on the matter by the Superintendence of Industry and Trade.
n. To inform the Assigned to Processing when any given information is subject to discussion by the Holder, once the claim has been submitted and the corresponding procedures has not concluded.
o. To inform, as per request of the Holder, of the use given to his/her Personal Data.
p. To inform the Personal Data authority of any breach to the security codes and if there is any risk regarding the management of the information of the Holders.
q. To comply with the instructions and requirements given by the Superintendence of Industry and Trade.

6.2 DUTIES OF THE ASSIGNED TO DATA PROCESSING
a. To guarantee the Holder, at all times, the full and effective exercise of the habeas data right.
b. To keep the information under the necessary security conditions as to prevent tampering with, loss, check, or non-authorized or fraudulent use or access to.
c. To update, correct or remove Personal Data as set forth by Law.
d. To update the information reported by those Responsible for Processing within five (5) business days from the date received.
e. To process any check or claim submitted by the Holders
f. To implement an internal policy and procedures manual to guarantee the correct Processing of Personal Data under the provisions applicable and any instructions given on the matter by the Superintendence of Industry and Trade.
g. To record within the Data Base the wording “claim in progress” as provided for by Law.
h. To include in the Data Base the wording “information under judicial discussion” upon receiving notice by the competent authority on any judicial proceeding regarding the quality of any Personal Datum.
i. To refrain from disclosing any information under controversy by the Holder and whose blockage has been ordered by the Superintendence of Industry and Trade.
j. To allow access to the information only for those people who hold clearance to access the same.
k. To inform the Superintendence of Industry and Trade in the event of any breach to the security codes and if there is any risk regarding the management of the information of the Holders.
l. To comply with the instructions and requirements given by the Superintendence of Industry and Trade.

7. RIGHTS OF THE HOLDERS OF PESONAL DATA 
a. To know, update and correct its own Personal Data before those Responsible for Processing or Assigned to Processing. This right may be exercised, among others, regarding partial, inaccurate, incomplete, fractioned, misleading or any other data whose Processing is expressly forbidden or which has not been authorized.
b. To require proof of the authorization granted to the Responsible for Processing except when expressly exempt as a requirement for Processing (any event in which such Authorization is not needed).
c. To be informed by the Responsible for Processing or the Assigned to Processing, as per previous request, regarding the use given to his/her Personal Data.
d. To submit before the Superintendence of Industry and Trade any claim due to breach to the provisions set forth herein and any other norm that amend, add or complement the same.
e. To cancel the Authorization and/or request the removal of the Personal Datum when the constitutional and legal principles, rights and guarantees are not complied with during Processing.
f. To freely access its Personal Data subject to Processing

8. LEGITIMACY FOR EXERCISING THE RIGHTS OF THE HOLDER
The rights of the holders may be exercised by the following individuals:

a. By the Holder, who must credit his/her identity in an adequate manner through the different media made available by the Responsible for Processing.
b. By the successors and assigns of the Holder who must credit such capacity.
c. By the representative and/or proxy of the Holder, under previous crediting of such representation or proxy.
d. By stipulation in favor of or to a third party.
e. The rights of minors, boys and girls, and adolescents shall be exercised by the individuals capable of representing them.

9. PEOPLE WHO MAY RECIEVE INFORMATION OF THE HOLDER OF PERSONAL DATA.
a. Any Holder, their successors or representatives;
b. Any public or administrative entity while exercising their legal duties or under a judicial order;
c. Any third party if authorized by the Holder or the Law.

10.  PURPOSE OF PROCESSING
In compliance of the Principle of Purpose, Personal Data Processing by PROMOTORA DE HOTELES MEDELLIN S.A., as Responsible or Assigned of the same, shall be ruled by the following parameters:

10.1        PERSONAL DATA CONNECTED TO HUMAN RESOURCES MANAGEMENT.

a.   Before subscribing a contract.
PROMOTORA DE HOTELES MEDELLIN S.A. collects, stores, reads, uses and processes information and Personal Data of any candidate to employee, by informing in advance the rules applicable to any Personal Data provided subject to Processing. In any case, the purpose of delivering Personal Data is limited to participating in the recruitment process and subsequent traceability, and therefore any other use is strictly forbidden.

The information submitted by the candidates to a vacant position in PROMOTORA DE HOTELES MEDELLIN S.A., shall be kept in storage for a five (5) year period from the date of the last Processing, to comply with the applicable administrative, accounting, fiscal, juridical and historical provisions in force on such information and any other legal requirement.

The Personal Data and information obtained from the recruitment process regarding the selected workers or contractors, shall be stored by PROMOTORA DE HOTELES MEDELLIN S.A. under strict security measures.

b. During and upon termination of the contract.
PROMOTORA DE HOTELES MEDELLIN S.A. collects, stores, checks, uses, shares, interchanges, transfers, discloses and process the personal information provided by its employees with the purpose of executing and developing the labor contract, and applying the legislation, jurisprudence and regulations in legal, social security, occupational risks grounds, granting benefits to the employee and its beneficiaries and for any other purpose needed for the correct development of the employee – employer relationship. Likewise, PROMOTORA DE HOTELES MEDELLIN S.A. collects, uses, shares, interchanges, sends, transfers, discloses and processes information and Personal Data of removed or retired employees, retirees or pensioners, bonded third parties, family group, beneficiaries and any other individual who has or has had an employment contract with PROMOTORA DE HOTELES MEDELLIN S.A.

PROMOTORA DE HOTELES MEDELLIN S.A. shall store the Personal Data of its employees under a dossier identified with the full name of each one of them. Access to such dossier is limited to the Human Resources Management Area and the Legal Area of PROMOTORA DE HOTELES MEDELLIN S.A., with the only purpose of managing the contractual relationship.
Such information shall be kept in storage, physically or through electronic means, as provided for by Article 264 of the Substantive Labor Code, or kept for the maximum term needed to comply with the legal or contractual obligations imposed to us, in particular, any accounting, contractual, fiscal or tax obligation.

10.2 PROVIDERS’ PERSONAL DATA.
PROMOTORA DE HOTELES MEDELLIN S.A. collects, stores, checks, uses, shares, interchanges, transfers, discloses and process the personal information provided by its providers which has been supplied as part of the procurement process of any goods or services delivered to PROMOTORA DE HOTELES MEDELLIN S.A., before, during or after the contractual relationship.

PROMOTORA DE HOTELES MEDELLIN S.A. shall collect the Personal Data of the employees of the provider, whenever such data is needed for security reasons according to the nature of the contracted service.

10.3 CLIENTS’ PERSONAL DATA
a. Processing and verification of any information needed to process reservations in the Movich Hotels & Resorts chain.
b. Updating or correcting information during the stay in the hotels of the Movich Hotels & Resorts chain.
c. Offering, subscribing and executing accommodation contracts and any other service connected to the travel experience of the guest of the Movich Hotels & Resorts chain.
d. Offering, subscribing and executing banquet and hall rental contracts with the facilities of the Movich Hotels & Resorts chain.
e. Controlling and preventing fraud, asset laundering and financing of terrorism.
f. Preparing marketing and statistics studies.
g. Sending out information or offering services connected to the social purpose of PROMOTORA DE HOTELES MEDELLIN S.A.
h. Sending out offers and/or commercial or services communications to the street address or e-mail included in the data recording forms filled up by the guest.
i. Contacting the guest by telephone, to notify offers and/or commercial or service communications
j. Sending out satisfaction surveys to learn about the quality of the serviced delivered by PROMOTORA DE HOTELES MEDELLIN S.A.

In the event of collecting data in virtue of the Movich Dreams loyalty program, Personal Data of the associates shall be additionally processed for the following purposes.

a. Operating the Movich Dreams program.
b. Identifying the associate and keeping open communication with him/her, including but not limited to sending information on accumulation or redemption transactions on his/her account and sending any other hard copy or electronic mail.
c. Crediting the points from the Movich Dreams program to the associate’s account.
d. Allowing the associate to redeem points for nights in participating hotels.
e. Enabling the associate to receive the benefits redeemed through his/her points.
f. Keeping updated and backed-up the points balance of the associate’s account.
g. Sending offers and/or communications to the associate based upon his/her likes and preferences or previous behavior.
h. Subcontracting third parties in the capacity of Assignees of Personal Data for them to process the information of the associates and/or conduct any other activity as required by Movich Dreams and/or the hotels regarding the Movich Dreams program.

The Holder of Personal Data and/or sensitive data hereby authorizes PROMOTORA DE HOTELES MEDELLIN S.A. to transfer its personal information to its headquarters, subsidiaries and affiliates, as well as to any other company pertaining to the Movich Hotels & Resorts Hotel Chain.

10.4.   PERSONAL DATA OF THE COMMUNITY IN GENERAL.
The collection of Personal Data from individuals conducted by PROMOTORA DE HOTELES MEDELLIN S.A. to develop its corporate purpose shall abide by the provisions set forth herein.

11. INTERNATIONAL TRANSFER OF PRESONAL DATA 
The Transfer of Personal Data to countries which do not provide adequate levels of protection of Personal Data is forbidden. A country shall be deemed as safe if it complies with the standards determined by the Superintendence of Industry and Trade.
Notwithstanding the aforementioned, as an exception, transfer shall be allowed in the following cases:

• The Holder of the Personal Datum has expressly and clearly authorized such transfer
• Banking or Stock Exchange transfer, as provided for by the applicable law.
• Transfers agreed to under the framework of international treaties of which Colombia is a party, based upon the reciprocity principle.
• Transfers needed for the execution of a contract between the Holder and the Responsible for Processing
• Lawfully required transfers to safeguard public interest or for the acknowledgement, exercise or defense of a right within a judicial proceeding.

12. INDIVIDUAL OR AREA RESPONSIBLE FOR THE PROTECTION OF PERSONAL DATA
The Office of the Managerial and Income Optimization Vice-President shall be responsible for the enforcement of the Policy herein inside PROMOTORA DE HOTELES MEDELLIN S.A. and shall process every request by the Holders. If you need extra information you contact us to atencionalcliente@movichhotels.com exercising the rights as provided for Law 1581 of 2012, Decree 1377 of 2013 and the Policy herein.

13. TEMPORALITY OF PERSONAL DATA
The permanence of Personal Data in the information systems of PROMOTORA DE HOTELES MEDELLIN S.A. shall be determined by the purposes of Processing. Upon termination of said purpose, unless any other obligation to keep for a longer period is imposed by law, the Document Retention Table shall be considered by the area responsible for processing such data, in accordance with the POPP- 006-VV document management policy.

14. INFORMATION SECURITY
The guarantees and reserve imposed by the Political Constitution of Colombia, the norms on the protection of personal data and any other concordant and complementary norms shall be complied with when processing data. For such purposes, PROMOTORA DE HOTELES MEDELLIN S.A. has adopted the legal required levels of security for the protection of personal data, thus installing the technical and organizational measures needed to prevent any loss, misuse, tampering with, check, non-authorized or fraudulent use or access or robbery of the data received.

PROMOTORA DE HOTELES MEDELLIN S.A. will not be held responsible for any consequence resulting from the unlawful access of third parties to its websites or for any technical failure in their functioning. Likewise, PROMOTORA DE HOTELES MEDELLIN S.A. does not assume any responsibility for inaccurate data or typographic mistakes that the contents uploaded to the network by the website administrator may display.

15. HELP DESK
The User of the information delivered, at any time, may exercise its rights as provided for by Article 8 of Law 1581 of 2012, within which the following are included: requesting information; knowing, updating, rectifying and requesting the suppression of its personal data; and requesting proof of the authorization granted and revoking the same. Notwithstanding the aforementioned, personal data shall be kept where required to comply with a legal or contractual obligation, as provided for by Law 1581 of 2012, its regulatory decrees and any other norms which complement or amend the same.

The User who does not desire to be contacted after delivering his/her information or personal data, must:

1. Express such decision when filling up the data collection forms.
2. When receiving information via e-mail, he/she may unsubscribe from the contact list by clicking on the safe subscription link, which is clearly highlighted.
3. Expressly request his/her decision of not receiving any further information by e-mail to atencionalcliente@movichhotels.com, under the subject: “cancel subscription”.

The Customer Service Area is responsible for channeling any requests on data protection within Movich Hotels and it is also responsible for personally assisting every User and Holder of information.

16. INFORMATION OF THE RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA
Name: PROMOTORA DE HOTELES MEDELLIN S.A.
Nit: 890.903.736-7,
Adress: Av Calle 26 # 59 -15 floor 9, Bogotá
Email: atencionalcliente@movichhotels.com

This policy was updated on April 23, 2019.