Microsyslabs S.A.S, identified with NIT 900663379-5, with main address at Carrera 30 # 4A – 45 Ed. Forever W&L, Medellín, Colombia; website: www.wolkvox.com, email: [email protected], phone: +57 (604) 322 98 80, has appointed the Risk Leader in Information Security and Continuity as the role responsible for enforcing the regulations and these policies for the processing of personal data.

To establish the criteria for Microsyslabs S.A.S as the data controller to collect, store, use, circulate, transfer, update, and delete information of the authorized data provided by the data subjects and for the purposes established by the entity.

The Policy for the Treatment of Personal Data was prepared in accordance with the provisions of articles 15 and 20 of the Political Constitution of Colombia, Law 1581 of 2012, Regulatory Decree 1377 of 2013, and other complementary provisions. It will be applied by Microsyslabs regarding the collection, storage, use, circulation, deletion, and all other activities that constitute the processing of personal data.

This Policy for Personal Data Processing is directed to active and inactive personnel of Microsyslabs, contractors, clients, and other individuals who have had any type of relationship with Microsyslabs and whose personal data is included in the Company’s Databases.

This policy is mandatory for Microsyslabs as the data controller, as well as for the processors who process personal data on behalf of the company, in accordance with the obligations established in Law 1581 of 2012, Title IV, articles 17 and 18.

For the purpose of understanding this policy and in accordance with legal regulations, the following definitions, contained in Law 1581 of 2012, will be applicable: “Authorization: Prior, express, and informed consent of the Data Subject to carry out the Processing of personal data.”

• Privacy Notice: Privacy Notice is a verbal or written communication generated by the data controller, directed to the data subject for the processing of their personal data, through which they are informed about the existence of the information processing policies that will be applicable to them, how to access them, and the purposes of the processing of their personal data.
• Database: Organized set of personal data that is subject to Processing.
• Personal data: Any information linked or that can be associated with one or more identified or identifiable natural persons.
• Public data: It is the data classified as such according to the mandates of the law or the Political Constitution and is not semi-private, private, or sensitive. Public data includes, among others, information related to the civil status of individuals, their profession or occupation, their status as a merchant or public servant, and any information that can be obtained without any reservation. By their nature, public data can be found, among others, in public records, public documents, official gazettes and bulletins, and non-confidential judicial decisions that have become final.
• Private data: Private data is the data that, due to its intimate or confidential nature, is only relevant to the data subject.
• Sensitive data: Sensitive data is understood to be data that affects the privacy of the Data Subject or whose misuse could lead to discrimination, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in trade unions, social organizations, human rights organizations, or data promoting the interests of any political party or guaranteeing the rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data.
• Encargado del Tratamiento: Persona natural o jurídica, pública o privada, que por sí misma o en asocio con otros, realice el Tratamiento de datos personales por cuenta del Responsable del Tratamiento.
• Data Controller: Natural or legal person, public or private, who, by themselves or in association with others, decides on the database and/or the Processing of the data.
• Data Subject: Natural person whose personal data is subject to Processing.
• Processing: Any operation or set of operations on personal data, such as collection, storage, use, disclosure, or deletion of the same.
• Suppliers: All natural or legal persons who provide services to the Company under a contractual/obligational relationship.
• Employee: Any individual who provides services to the Company under an employment contract.
• Transfer: It refers to the sending by the Company as the data controller or a data processor, to a third party or natural/legal person (recipient), within or outside the national territory for the effective processing of personal data.
• Transmission: Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when its purpose is to carry out processing by the processor on behalf of the data controller.

For the understanding of terms not included in the previous list, you must refer to the current legislation, especially Law 1581 of 2012 and Decree 1377 of 2013, interpreting the terms whose definition is in doubt according to the meaning used in said regulations.

For the purpose of guaranteeing the protection of personal and sensitive data, Microsyslabs will apply in a harmonious and comprehensive manner the guiding principles of Law 1581 of 2012:

• Principle of legality in data processing: The processing referred to in this law is a regulated activity that must comply with the provisions established in it and in other applicable regulations.

• Principle of purpose: The processing must serve a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.

• Principle of freedom: The processing can only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that exempts the consent.

• Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.

• Principle of transparency: Data Subjects have the right to obtain from the Data Controller or Data Processor, at any time and without restrictions, information about the existence of data concerning them.

• Principle of restricted access and circulation: The processing is subject to the limits derived from the nature of personal data, the provisions of this law, and the Constitution. Therefore, processing may only be carried out by persons authorized by the Data Subject and/or by persons provided for in this law. Personal data, except for public information and what is provided for in the authorization granted by the data subject, may not be available on the Internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to Data Subjects or authorized third parties in accordance with this law.

• Principle of security: The information subject to processing by the Data Controller or Data Processor under this law must be protected through the use of technical, human, and administrative measures necessary to ensure the security of the records, preventing their alteration, loss, consultation, unauthorized or fraudulent use, or access.

• Principle of confidentiality: All persons involved in the processing of personal data that do not have a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the activities that comprise the processing. They may only provide or communicate personal data when it corresponds to the development of activities authorized by this law and in accordance with its terms.

PARAGRAPH: The Data Subject may refuse to authorize the processing of their sensitive, personal, and semi-private data.

PRIOR AND/OR AT THE TIME OF COLLECTING PERSONAL DATA, Microsyslabs will request authorization from the data subject to collect and process their data. This authorization should be obtained through any means or mechanism, including electronic ones, that may be subject to subsequent consultation, all in accordance with the law.

In compliance with the principles of purpose and freedom, data collection shall be limited to relevant and adequate personal data for the purposes for which they are collected or required, as stipulated by current regulations and stated in this policy. Except in cases expressly provided for by law, personal data shall not be collected without the data subject’s authorization.

PARAGRAPH 1: The data subject’s authorization will not be necessary according to the causes established in Article 10 of Law 1581 of 2012.

PARAGRAPH 2: The data subject may request from Microsyslabs, as the data controller, the deletion of their personal data and/or revoke the authorization granted for their processing, at any time. To do so, the channels enabled in Section 18 of this Policy may be used.

Microsyslabs may process personal, private, and/or sensitive data for the following purposes, as well as those expressed in the law:

• Execution of contractual relationships with clients and suppliers, including national and international business management, purchasing, sales, historical data storage, offering new or improved products and services, and customer loyalty strategies.

• Execution of contractual relationships with employees, including personnel management, schedule control, employee training, payroll, temporary work management, occupational risk prevention, job promotion and management, employee selection, storage of images and diagnostic exams, declaration and payment of social security contributions, inspection and control of safety and social protection.

• Verification of judicial records, Contraloría and Procuraduría certifications, Simit, Clinton List, job references, and study certificates.

• Provision and information about services, new products, or changes in them requested by users.

• Evaluation of product and service quality.

• Sending commercial, advertising, or promotional information about products, services, events, or promotions by physical mail, email, cellphone, text messages (SMS and/or MMS), or any other analog or digital communication means created or to be created, aimed at promoting, inviting, directing, executing, informing, and, in general, conducting commercial or advertising campaigns, promotions, or contests conducted by Microsyslabs and/or third parties.

• Data marketing.

• Management of cultural, recreational, sports, social, educational, training, and similar events, as well as associated certification processes.

• Customer/citizen support (PQR management).

• Internal statistics and decision-making support systems, sociological and opinion surveys, profile analysis, and advertising.

• Provision of communication services.

• Marketing, e-commerce, and publications.

• Document entry and exit records.

• Development of accounting, fiscal, administrative, and economic management, inventory control, collections, payments, billing, and attention to judicial or administrative authority requirements.

• Public debt management, treasury, tax management, and collection.

• Judicial procedures.

• Security and access control to Microsyslabs facilities.

• Promotion and prevention programs.

• Data update campaigns and information on changes in the processing of personal data.

• Custody and management of information and databases.

• Data and reference verification, legal, technical, and/or financial requirements.

• Information systems administration, key management, user administration, etc.

• Sending information to data subjects related to the organization’s corporate purpose.

• Sharing, sending, or delivering personal data to Microsyslabs’ subsidiary, affiliated, or subsidiary companies located in Colombia or any other country when such companies require the information for the purposes stated here.

The policy and procedures contained in this document extend to the various areas that make up the company and are part of the processing of personal data and apply to the databases and/or files that contain digital or physical personal and/or sensitive data, making them subject to processing.

Data subjects themselves or through their representative and/or legal proxy or their heirs may exercise the following rights concerning their personal data that are subject to processing by Microsyslabs, in accordance with Article 8 of Law 1581 of 2012:

• To know, update, and rectify their personal data in front of the data controllers or data processors. This right may be exercised, among others, in relation to partial, inaccurate, incomplete, fractionated, misleading data, or data whose processing is expressly prohibited or has not been authorized.

• To request proof of the authorization granted to the data controller, unless expressly excepted as a requirement for processing, in accordance with the provisions of Article 10 of Law 1581 of 2012. To be informed by the data controller or data processor, upon request, about the use that has been given to their personal data.

• To file complaints with the Superintendence of Industry and Commerce for violations of the provisions of Statutory Law 1581 of 2012 and the decrees, regulations, and other provisions that modify, add to, or complement it.

• To revoke the authorization and/or request the deletion of the data when the processing does not comply with constitutional and legal principles, rights, and guarantees. The revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce has determined that the data controller or data processor have engaged in conduct contrary to the provisions of Law 1581 of 2012 and the constitution.

• To access, free of charge, their personal data that have been subject to processing.

PARAGRAPH: In accordance with Article 20 of Decree 1377 of 2013, which partially regulates Law 1581 of 2012, the rights of data subjects established in the Law may be exercised by the following persons: [Not provided in the original text]

TREATMENT: Microsyslabs is obligated to comply with the duties established in Law 1581 of 2012 for data controllers and data processors, as well as any other duties imposed by the law. Accordingly, the following obligations must be met:

A. Duties as Data Controller, Article 17 of Law 1581 of 2012:

• Ensure that data subjects can fully and effectively exercise their right to habeas data.
• Request and keep, under the conditions set forth in this policy, a copy of the respective authorization granted by the data subject.
• Provide clear and sufficient information to the data subject about the purpose of the data collection and the rights granted by the authorization.
• Safeguard the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
• Ensure that the information provided to the data processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.
• Update the information when necessary and inform the data processor of any updates regarding the data previously provided and take other necessary measures to keep the information provided to the processor current.
• Rectify personal data when appropriate and communicate this to the data processor.
• Provide the data processor, as the case may be, only with data whose processing has been previously authorized.
• Demand from the data processor the respect and compliance with the security and privacy conditions of the data subject’s information.
• Process inquiries and claims in the terms indicated in this policy.
• Adopt an internal manual of policies and procedures to ensure compliance with Law 1581 of 2012 and to address inquiries and claims.
• Inform the data processo when certain information is under dispute and the process has not been concluded.
• Provide the data subject, upon request, with information about the use of their data.
• Inform the data protection authority when there are violations of security codes and risks in the administration of the data subject’s information.
• Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

B. Duties as Data Processor, Article 18 of Law 1581 of 2012:

• Guarantee the data subject’s full and effective exercise of the right to habeas data at all times.
• Safeguard the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
• Timely carry out updates, rectifications, or deletions of the data.
• Update the information reported by the data controllers within five (5) business days from its receipt.
• Process inquiries and claims made by the data subjects in the terms indicated in this policy.
• Adopt an internal manual of policies and procedures to ensure compliance with the Law, especially in addressing inquiries and claims from data subjects.
• Record the legend “claim being processed” in the database as established in this policy. Insert the legend “information under judicial discussion” in the database once notified by the competent authority of judicial processes related to the quality of personal data.
• Refrain from circulating information that is disputed by the data subject and has been blocked by the Superintendence of Industry and Commerce.
• Allow access to the information only to authorized personnel or those who may have access to it.
• Inform the Superintendence of Industry and Commerce of violations of security codes and risks in the administration of data subjects’ information.
• Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

FIRST PARAGRAPH: If data processing is performed on behalf of another entity or organization (Data Controller), it must be established that the Data Controller is authorized to provide the personal data that will be processed as a data processor.

SECOND PARAGRAPH: If data processing is carried out through an external data processor, it shall be considered a Personal Data Transmission relationship, for which the scope of data processing, as well as the activities to be carried out by the data processor on behalf of the Data Controller and the obligations with the Data Subject and Data Controller, must be indicated.

In accordance with the content of Article 25 of Decree 1377 of 2013, “the data processor shall undertake to comply with the obligations of the Data Controller under the Data Processing Policy established by the latter and to carry out data processing according to the purposes authorized by the Data Subjects and applicable laws.”

In accordance with the content of Article 4 of Decree 1377 of 2013, the collection of personal data will be limited to those that are relevant and appropriate for the purposes established by Microsyslabs or the current regulations.

Microsyslabs may collect data, after obtaining the Authorization from the Owner:

• From physical and/or digital documents provided by the information owners to Microsyslabs’ data processors.
• From phone recordings.
• From emails.
• Obtained from video surveillance systems, whether inside or outside Microsyslabs’ premises, which will be used for security purposes and as evidence in any type of process.

The personal data provided by the information owner for the purposes stated here will not be sold, licensed, transmitted, transferred, or disclosed, except when:

• There is explicit authorization to do so.
• It is necessary to allow contractors or commercial agents to sell goods and/or provide the services entrusted.
• It is necessary to provide our services and/or products.
• It is necessary to disclose to entities that provide marketing services on behalf of Microsyslabs or to other entities with which joint marketing agreements are in place.
• The information is related to a merger, consolidation, acquisition, divestment, or other corporate restructuring process.
• It is required or permitted by law.

Microsyslabs may subcontract third parties for the processing of certain functions or information. Therefore, when personal information is provided to third-party service providers, Microsyslabs will notify these third parties about the need to protect such personal information with appropriate security measures. Furthermore, Microsyslabs will prohibit the use of the information for their own purposes and its disclosure to others, except in cases where there is explicit authorization from the owner.

The Company acknowledges that its employees and shareholders have the right to expect a reasonable level of privacy, taking into account their responsibilities, rights, and obligations with the company.

In the related information, sensitive data may be found in accordance with Law 1581 of 2012 and Decree 1377 of 2013, regarding which the Owner has the rights established in the aforementioned regulations and any additional, substitute, or modifying regulations.

As part of the relationship established between the data subject and the Company, the following information will be collected, stored, used, and transferred to companies located within and outside Colombia. Such personal data and information include, among others:

A. From Customers and Suppliers:

1. Name or corporate name, identification number or NIT with verification digit, place of domicile, address, phone numbers, fax, email.
2. Name of the general manager or legal representative and address, phone numbers, fax, email.
3. Name of the sales manager or coordinator, address, phone numbers, fax, email.
4. Name of the assigned person for debt collection, email.
5. Time of business operation.
6. Tax information.
7. Banking information, including the name of the account holder, bank account number, and name or code of the bank.
8. Financial information.

B. From Employees:

1. Worker and Family Group: name, identification, address, phone, name of spouse and children, name and identification of children, medical history, social security affiliations, medical policy, age, date of birth, educational information, health status, medications used, medical authorizations, participation in recreational and sports activities.
2. Resume, education, experience, links with entities, links with companies.
3. Salary and other payments.
4. Payroll deduction affiliations.
5. Pension contributions.
6. Constitution and contributions to AFC, voluntary pension funds, meal vouchers.
7. Legal processes, garnishments.
8. Debts in favor of cooperatives.
9. Authorization for deductions.
10. Benefits during the entire work life.
11. Employment contract and changes in the employment contract.
12. Employment relationship with employers.
13. Employment history of the worker.
14. Payment of allowances and benefits.
15. Worker’s beneficiaries for the purpose of payment of allowances and benefits.
16. Affiliation to EPS, pension fund, ARL, Compensatory Fund.
17. Received training.
18. Psychological evaluation report.
19. Worker’s occupational medical history.
20. Work-related accidents.
21. Photographic records.
22. Annual competency evaluation.

C. From Shareholders:

1. Names, surnames, type and identification number, marital status, email, phone numbers, date of birth, gender, number of children, education, profession.
2. Emergency contacts (Names, address, phone numbers, etc.).
3. Correspondence address, residential address, workplace address, position, visa data, nationality, country of residence, etc.
4. Health data (such as vaccination history, illnesses, complications, allergies, etc.).

In the event that Microsyslabs is unable to provide the data subject with this information processing policy, a privacy notice will be published, and its text will be kept for future reference by the data subject and/or the Superintendence of Industry and Commerce, on the website www.wolkvox.com and on the bulletin boards at Microsyslabs’ premises.

Microsyslabs may only collect, store, use, or disclose personal data for a reasonable and necessary period, according to the purposes that justified the processing, taking into account the applicable provisions regarding the subject matter and the administrative, accounting, fiscal, legal, and historical aspects of the information. Once the purposes of the processing have been fulfilled, and without prejudice to legal provisions stating otherwise, Microsyslabs will proceed to delete the personal data in its possession. However, personal data must be retained when required for compliance with a legal or contractual obligation.

The areas responsible for the processing of data, according to their objective and scope, will be in charge of addressing the requests, complaints, and claims made by the data subject in the exercise of the rights contemplated in item 10 of this policy. This service will be subject to the procedure outlined in item 18 of this policy.

THE PROCEDURE FOR EXERCISING THE RIGHT OF HABEAS DATA:

The data subject or their representative may submit their request, complaint, or claim from Monday to Friday, from 7:00 a.m. to 6:00 p.m., to the email address or [email protected], call the Microsyslabs helpline in Medellin at +57(604)322-98-80, and in Bogotá at +57(601) 381-9040, or submit it in person at the physical address in Medellín: Carrera 30 # 4A – 45 Ed. Forever W&L, Bogotá Carrera 17 # 89 – 31 Of. 503 Ed. Gaia Rincón del Chicó, or through the website www.wolkvox.com.

The request, complaint, or claim must include:

• The identification of the data subject.
• Contact information, phone number, mobile, address, email.
• A description of the facts that give rise to the claim.
• The documents that the claimant wants to present.

If the claim is incomplete, the interested party will be required to remedy the deficiencies within five (5) days following the receipt of the claim.

After two (2) months from the date of the request, if the claimant has not provided the requested information, it will be understood that they have withdrawn the claim.

If the recipient of the claim is not competent to resolve it, they will forward it to the appropriate authority within a maximum term of two (2) business days and inform the interested party of the situation.

Once the complete claim is received, a note will be included in the corresponding database stating “claim under process” and the reason for it, within a term not exceeding two (2) business days. This note will be kept until the claim is resolved.

The maximum term to address the claim will be fifteen (15) business days from the day following its receipt. If it is not possible to address the claim within this term, the interested party will be informed of the reasons for the delay and the date when their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the initial term.

The data subject may request Microsyslabs, as the Data Controller, at any time to delete their personal data and/or revoke the authorization they have granted for the processing of such data by submitting a claim, in accordance with Article 15 of Law 1581 of 2012.

However, it is important to note that your request for data deletion and revocation of authorization will not be granted when, as the data subject, you have a legal or contractual obligation to remain in Microsyslabs’ database.

The mechanisms provided by Microsyslabs, easily accessible and free of charge, for the data subject to submit the request for data deletion or revocation of the granted authorization, are those outlined in Item 18 of this Policy.

If, after the term established in Item 18, Microsyslabs, as the Data Controller, fails to delete your personal data from its databases, you will have the right to request the Superintendence of Industry and Commerce to order the revocation of the authorization and/or the deletion of your personal data. For these purposes, the procedure described in Article 22 of Law 1581 of 2012 will be applied.

In accordance with the provisions of numeral 3 of article 10 of Regulatory Decree 1377 of 2013, Microsyslabs will proceed to publish a notice addressed to the holders of personal data in order to make known the present information processing policy and the way to exercise their rights as holders of personal data hosted in Microsyslabs’ databases, through the website www.wolkvox.com.

The Personal and Sensitive Data Handling Policy (Habeas Data) was created and published on April 3, 2019.

Any changes that may occur regarding this policy will be communicated through the website www.microsyslabs.com or the email address [email protected], or for those who request the information directly at the locations in Medellín: Carrera 30 # 4A – 45 Ed. Forever W&L, Bogotá Carrera 17 # 89 – 31 Office. 503 Ed. Gaia Rincón del Chicó.