OBJECTIVE

SPATARO NAPOLI SAS, hereinafter “Spataro”, seeking to guarantee the adequate treatment of personal data and the protection of these, or of any information that resides in its databases, and in compliance with article 15 of the Political Constitution, to the Law 1581 of 2012, Regulatory Decree 1377 of 2013, and other regulations that modify, add or develop it, has developed and adopted this policy for the treatment of personal data, hereinafter the “Policy”. This Policy will be mandatory for Spataro, in its capacity as Responsible for the processing of personal data, as well as for all allied companies, subsidiaries, or that are part of the business group, and all employees, contractors or third parties who act on behalf of Spataro.

SPATARO’S ID

Company name: SPATARO NAPOLI S.A.S.

NIT. 890312535-7

Address: Calle 24 # 3 – 46, Cali Telephone: 4893049

Email Address: spataro@spataro.com.co

Web Page: http://www.spataro.com.co

LEGAL DEFINITIONS In accordance with current regulations, the following definitions will be applicable to the Policy, as well as any other that is part of the current regulatory framework for the protection and processing of personal data.

Authorization: Prior, express and informed consent of the Holder to carry out the Processing of personal data;

Database: Organized set of personal data that is subject to Treatment;

Personal data: Any information linked or that may be associated with one or more specific or determinable natural persons; Responsible for the Treatment:

Natural or legal person, public or private, that by itself or in association with others, carries out the Treatment of personal data on behalf of the Responsible for Treatment; Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and / or the Treatment of the data; Owner: Natural person whose personal data is subject to Treatment; Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion.

GUIDING PRINCIPLES In accordance with current legislation, the principles that must be applied for the processing of personal data and therefore that govern this Policy, are the following:

Principle of legality regarding data processing: The processing referred to in this law is a regulated activity that must be subject to what is established in it and in the other provisions that develop it;

Principle of purpose: The Treatment must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Holder;

Principle of freedom: Treatment can only be exercised with the prior, express and informed consent of the Holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent;

Principle of truthfulness or quality: The information subject to Treatment must be truthful, complete, exact, updated, verifiable and understandable. The Processing of partial, incomplete, fractioned or misleading data is prohibited;

Principle of transparency: In the Treatment, the right of the Holder to obtain from the Treatment Manager or the person in charge of Treatment, at any time and without restrictions, information about the existence of data that concerns him;

Principle of access and restricted circulation: The Treatment is subject to the limits that derive from the nature of the personal data, the provisions of this law and the Constitution. In this sense, the Treatment can only be done by persons authorized by the Holder and / or by the persons provided for in this law; Personal data, except public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Holders or authorized third parties in accordance with this law;

Security principle: The information subject to Treatment by the Treatment Manager or Person in Charge of Treatment referred to in this law, must be managed with the technical, human and administrative measures that are necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access

Principle of confidentiality: All persons who intervene in the Processing of personal data that are not public in nature are obliged to guarantee the reservation of the information, even after the end of their relationship with any of the tasks included in the Treatment, being able only carry out supply or communication of personal data when this corresponds to the development of the activities authorized in this law and in the terms of the same.

TREATMENT AND PURPOSE OF PERSONAL DATA The treatment of personal data carried out by Spataro will have the following purposes.

• To comply with the obligations contracted with clients, suppliers, allies, users, distributors, contractors and other personnel related to Spataro.
• Carry out marketing, promotion or advertising activities of your own or of third parties, directly by Spataro or by third parties, through any means, on any product or service offered by Spataro or any of its allies, subsidiaries, brands and others.
• Manage procedures (requests, appointments and / or claims) and carry out surveys of satisfaction, consumption habits, current trends, preferences, purchase interest, means of purchase and others related to the fulfillment of Spataro’s corporate purpose.
• Carry out activities of sale, billing, collection management, collection, fraud prevention and / or any other activity related to current and future products and services, seeking to comply with the contractual obligations contracted and the corporate purpose. ü
• Provide relevant information that may be required by the sales force and / or distribution network, or by any third party with whom Spataro has a contractual relationship.
• Maintain efficient communication with customers, related to the offer of products, promotions, billing and / or services, or any activity carried out by Spataro in the exercise of its corporate purpose.
• Transfer and / or transmit the personal data of the holders within and / or outside the country to third parties, as a result of a contractual relationship, law or legal link that requires it, for the provision of services or by virtue or compliance with agreements commercial, alliances or contractual relationships.
• Take the necessary steps to prevent and control fraud in any form. 
• Carry out the procedures and / or activities required to comply with the obligations inherent to the services provided by Spataro.

RIGHTS OF THE HOLDERS The holders of personal data will have the following rights:

• Know, update and rectify your personal data in front of Spataro or the Treatment Managers. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or those whose Treatment is expressly prohibited or has not been authorized;

• Request proof of the authorization granted to Spataro, except when expressly excepted as a requirement for the Treatment;

• Be informed by Spataro or by the Treatment Manager, upon request, regarding the use that has been given to your personal data;

• Present before the Superintendency of Industry and Commerce complaints for infractions to the provisions of this law and the other regulations that modify, add or complement it;

• Revoke the authorization and / or request the deletion of the data when the treatment does not respect the principles, rights and constitutional and legal guarantees;

• Free access to your personal data that have been subject to Treatment.

DUTIES OF SPATARO Spataro, as the person responsible for the processing of personal data, must comply with the duties dictated by law, such as:

a) Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data;

b) Request and keep, under the conditions set forth in this law, a copy of the respective authorization granted by the Holder;

c) Properly inform the Holder about the purpose of the collection and the rights that assist him by virtue of the authorization granted;

d) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;

e) Guarantee that the information provided to the Treatment Manager is truthful, complete, exact, updated, verifiable and understandable;

f) Update the information, communicating in a timely manner to the Person in Charge of Treatment, all the news regarding the data that you have previously provided and adopt the other necessary measures so that the information provided to it is kept updated;

g) Rectify the information when it is incorrect and communicate the pertinent to the Person in Charge of Treatment;

h) Provide the Treatment Manager, as the case may be, only data whose Treatment is previously authorized in accordance with the provisions of this law;

i) Require the Treatment Manager, at all times, to respect the security and privacy conditions of the Owner’s information;

j) To process the queries and claims formulated in the terms indicated in this law;

k) Adopt an internal manual of policies and procedures to guarantee adequate compliance with this law and, in particular, for the attention of queries and complaints; In addition to the other duties indicated by current legislation in this regard.

AUTHORIZATION – Queries and Claims

At the latest at the time of collection of your data, Spataro must adopt procedures to request the prior, express and informed authorization of the owner for the treatment of the same and inform him of the personal data that will be collected, as well as the purposes of the treatment for which consent is obtained. The collection of data will be limited to those that are pertinent and adequate for the purpose for which they are collected and must be obtained by any means that may be subject to subsequent consultation and verification by the owner.

It will be understood that the owner has granted Spataro his authorization for the processing of his personal data when it is manifested: a) in writing; b) orally; or c) through unequivocal conduct that allows it to be reasonably concluded that the latter granted Spataro the respective authorization. In no case shall silence be understood as unequivocal conduct.

The authorization of the owner will not be necessary in the case of: i) information required by a public or administrative entity in the exercise of its legal functions or by court order; (ii) data of a public nature; (iii) cases of medical or health emergency; (iv) treatment of information authorized by law for historical, statistical or scientific purposes; and (v) data related to the Civil Registry of Persons.

The owner of the personal data may request Spataro at any time, the deletion of their personal data and / or the revocation of the authorization granted for the treatment thereof, by submitting a claim as established in Law 1581 of 2012. However, the request to delete information and / or revoke the authorization will not proceed if the owner of the personal data has a legal or contractual duty by virtue of which it must remain in the Spataro database.

Likewise, the owner may submit inquiries and / or claims, whose procedures and terms will be those established in Law 1581 of 2012.

The channels for the exercise of the rights of the holders are the following: Contact information: Calle 24 # 3-46, Cali Valle del Cauca. Tel: (2) 4893049, website: spataro.com.co, email: spataro@spataro.com.co The Spataro customer service area is in charge of receiving requests, queries and claims from the Owner of Personal Data related to their rights to know, update, rectify and delete Personal Data and revoke the Authorization. Likewise, the Customer Service area will ensure the timely and adequate response issued by each of the Spataro areas to the requests, queries and claims of the Data Holders.

USE AND INTERNATIONAL TRANSFER OF PERSONAL DATA AND PERSONAL INFORMATION BY SPATARO The owner of the information expressly authorizes that all of his information may be transferred and / or transmitted abroad, observing the current regulation, in development of Spataro’s international relations when this is necessary. Spataro will take all the measures that are necessary so that third parties who know the information of the holders, subject to the obligation to maintain confidentiality, know and observe this Policy, under the understanding that the personal information they receive may only be used for matters directly related to the relationship they have with Spataro and to achieve the purposes of said relationship, while it is in force.

Spataro may also exchange personal information with governmental or other public authorities (including, among other judicial or administrative authorities, fiscal authorities and criminal, civil, administrative, disciplinary and fiscal investigation bodies), and third parties involved in civil legal proceedings and their accountants, auditors, attorneys and other advisers and representatives, because it is necessary or appropriate:

a) To comply with current laws, including laws other than those of your country of residence;

b) To comply with legal processes;

c) To respond to requests from public and government authorities, and to respond to requests from public and government authorities other than those of your country of residence;

d) To enforce our terms and conditions;

e) To protect our operations;

a) To protect our rights, privacy, security or property, yours or those of third parties; and

b) Obtain the applicable compensation or limit the damages that may affect us.

VALIDITY This personal information treatment policy is valid as of November 1, 2020 and until the moment it is expressly revoked or modified.