Personal Data Policy

CHAPTER I:


Article 1. Applicable regulations. This policy is governed by the parameters set out by articles 15 and 20 of the Political Constitution, Law 1581 of 2022 “whereby general provisions are set out for the protection of personal data”, and Decree 1377 of 2013 “whereby it partially regulates Law 1581 if 2012” and other regulatory provisions that govern the subject.

Article 2. Applicability Environment: The Policy will be applicable for personal data registered in the data bases of SierraCol Energy, SierraCol Energy Arauca, SierraCol Energy Andina, SierraCol Energy Condor (hereinafter the “Organization”), which are the object of Processing thereby.

Article 3. Purpose. The Organization, in order to comply with its legal and contractual obligations, requires the Processing of Personal Data, including its workers, suppliers, pensioners and others, which are included in the Databases of the Organization and on which the provisions that regulate the matter are applicable and, consequently, this Policy too.

Article 4. Definitions. For proper fulfillment of the parameters set by this Policy and in agreement with the provisions of the applicable regulations, the following definitions apply:

a) Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of Personal Data.

b) Privacy notice: Verbal or written communication prepared by the party Responsible for the Processing, addressed to the Data Subjects for the Processing of their Personal Data, whereby they are informed about the existence of the Data Processing Policies that will be applicable, the way to access them, and the purposes of the intended Data Processing.

c) Databases: Organized set of Personal Data that is subject to Processing.

d) Personal Data: Any information linked to or associated with one or more specific or determinable natural persons, who are registered in a database that makes them susceptible to Processing.

e) Public Data: It is the data that is not semi-private, private or sensitive. Public data, among others, are data related to the marital status of individuals, their profession or trade, and their status as a merchant or public servant. Given its nature, public data may be contained, among others, in public records, public documents, gazettes and official gazettes and duly enforceable judicial decisions that are not subject to reservation. f) Sensitive Data: Sensitive data is understood as that affecting the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, union membership, social, human rights or other organizations that promote the interests of any political party or that guarantee the rights and assurance of opposition political parties, as well as data related to health, sexual life, and biometric data.

g) Responsible for the Processing: Natural or legal, public and private person in charge of Data Processing on behalf of the Data Controller.

h) Other: For the purposes of this Policy, it refers to any natural person with whom the Organization has a relationship, whether directly or indirectly, in fulfilling its corporate purpose. This includes, without limitation, beneficiaries of social projects, officials of companies with whom SierraCol Energy is related, etc.

i) Responsible for the Processing: Natural or legal, public or private person who decides on the Database and the Processing.

j) Data Subject: Natural person whose Personal Data are subject to Processing, as well as legal persons when the data of the natural persons that comprise it are involved.

k) Transmission: Processing of personal data that implies transmission thereof within or outside the territory of the Republic of Colombia when it is intended to carry out a Processing by the Person in Charge on behalf of the Responsible Party.

l) Processing: Any Personal Data operation, such as collection, storage, use, circulation or deletion.

Article 5. Principles. The processing of Personal Data by the Organization will be governed by the principles provided for in the applicable regulations, namely:

a) Purpose: Processing of Personal Data collected by the Organization will have the purpose described in Chapter V of this Policy.

b) Freedom: The Processing of Personal Data must be preceded by a prior, express and informed consent by the Data Subject, not being possible to obtain or disclose it without prior authorization, or in the absence of a legal or judicial mandate exempting the prior authorization of the Data Subject, except for legal provisions to the contrary.

c) Veracity: The personal data that the Data Subject provides and that is processed by the Organization, must be truthful, complete, exact, updated, verifiable and understandable. The Processing of partial, incomplete, fractionated or misleading data is prohibited.

d) Transparency: The Organization shall guarantee the right of Data Subjects to obtain information about the existence of their related Personal Data.

e) Restricted access and circulation: The Processing is subject to the limits derived from the nature of personal data, from the applicable regulatory provisions. In this regard, the Processing can only be performed by the party authorized by the Data Subject. Personal Data, except for public information shall not be available on the Internet or other massive communication media, with the exception of those events in which it is technically controllable to provide restricted knowledge to its Data Subjects and authorized third parties.

f) Security: The Organization shall adopt the technical, human and administrative measures required to guarantee the security of the data subject to Processing, in particular to avoid its adulteration, loss, consultation, use or unauthorized or fraudulent access.

g) Confidentiality All persons involved in the Processing of Personal Data that are not of public nature are bound to guarantee the reservation of information.


Article 6. Authorization: The Processing of Personal Data by the Organization requires free, prior, express and informed consent by the Data Subject, except for those of a public nature.

Article 7. Manner and mechanisms to grant authorization. The authorization may be evidenced on any mechanism that enables its subsequent consultation and this may be registered i) in writing, i) verbally, or iii) through unequivocal behavior of the Data Subject that leads to conclude reasonably that the authorization was granted, such as the entering to the Organization premises, and the supply of Personal Data upon entering of the respective official; in no event should silence be interpreted as unequivocal behavior.

Article 8. Evidence of authorization. The Organization shall keep records or the necessary mechanisms to prove when and how the authorization was obtained from the Data Subjects of personal data for its Processing.


<span class"legal-span-black">Article 9. Data Subject Rights. In accordance with the provisions of the applicable regulations, the Subject of Personal Data has the right to:

a) Know, update and rectify their personal data with the Processing Managers or Persons in Charge of Data Treatment. This right may be exercised, among others, against partial, inaccurate, incomplete, fractionated, misleading data, or those whose Processing is expressly prohibited or has not been authorized;

b) Request proof of the authorization granted to the Responsible for the Processing except when expressly excepted as a requirement for the Processing, pursuant to the provisions of article 10 of Law 1581 of 2012;

c) Being informed by the Processing Manager or Person in Charge of Data Treatment, upon request, regarding the use that has been given to their personal data; d) Submit to the Superintendency of Industry and Commerce complaints for breach of the provisions of this law and other regulations that modify, add or complement it;

e) Revoke the authorization and/or request for deletion of data when the Processing fails to respect the principles, rights and constitutional and legal guarantees. The revocation and/or deletion shall be applicable when the Superintendency of Industry and Commerce has determined that the Responsible or Person in Charge has incurred in a conduct contrary to this law and the Constitution during the Processing of Data;

f) Access free of charge to their Personal Data that have been subject to Processing.

Article 10. Duties of the Organization: In accordance with the applicable regulations, the Organization is bound to fulfill the following duties:

a) Guarantee the Data Subject, at all times, the full and effective exercise of the right to habeas data;

b) Request and keep, under the conditions set forth in this law, a copy of the respective authorization granted by the Data Subject;

c) Properly inform the Data Subject about the purpose of the collection and the rights that assist them by virtue of the authorization granted;

d) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access, the time for archiving the information will be that set forth in article 15 of this Policy.

e) Guarantee that the information provided to the Person in Charge of Processing is truthful, complete, exact, updated, verifiable and understandable;

f) Update the information, communicating in a timely manner to the Person in Charge of Processing, all the news regarding the data that they have previously provided and adopt other necessary measures so that the information provided is kept updated;

g) Rectify the information when it is incorrect and communicate whatever is pertinent to the Person in Charge of Processing;

h) Provide the Processing Manager, as the case may be, only data whose Processing is previously authorized in accordance with the provisions of this law; require the Processing Manager at all times, to respect the conditions of security and privacy of the information of the Data Subject;

i) Process the queries and claims formulated in the terms indicated in this law;

j) Adopt an internal manual of policies and procedures to guarantee adequate compliance with this law and, especially, to attend to queries and complaints;

k) Inform the Processing Manager when certain information is under discussion by the Data Subject, once the claim has been submitted and the respective process has not been completed;

l) Advise upon request of the Data Subject about the use given to their personal data;

m) Report to the data protection authority when there are violations of the security codes and risks in the administration of Data Subject information.

n) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.


Article 11. Access Rights. The Data Subject may access their personal information that is subject to Processing by the Organization, as well as the conditions and general manner in which it has been carried out. In compliance with the foregoing, the Data Subject may:

a) Know the effective existence of the Processing to which their personal data are subjected.

b) Access to personal data held by the person in charge.

c) Know the purpose that justifies the processing of their data.

Paragraph.The Data Subject will have access to the Personal Data object of Processing by the Organization, after proof of their identity, free of charge, at least once a month in accordance with the provisions of article 21 of Decree 1377 of 2013.

Article 12. Consultation: The Data Subject or their successors may consult the personal information held in the Organization’s databases upon request, which will be addressed within a maximum period of ten (10) business days from the date of receipt. Should it not be possible to address the request within said term, the interested party will be so advised within the same term, stating the reasons for such impossibility, as well as the date on which a response will be provided, which cannot be more than five (5) business days after the expiration of the first deadline.

Article 13. Claims: The Data Subject or their successors who consider that the information contained in a Database should be subject to correction, rectification, updating or deletion, or when they notice an alleged breach of any of the obligations set forth in this law, may file a claim with the Organization, which shall be processed pursuant to the following rules:

a) The claim must contain at least the following information: i. Name and address of the Data Subject or any other means to receive a response. ii. Documents that prove the identity of their representative. iii. Clear and precise description of the personal data that gave rise to the claim.

b) The claim shall be filed by means of a request addressed to the Personnel Management Coordinator of the Organization, including the identification of the Data Subject, the description of the facts that give rise to the claim, the address, and the pertinent accompanying documents must be attached thereto. If the claim is incomplete, the interested party will have five five (5) days after the claim has been received to correct any faults. After two (2) months from the date of the request, without the applicant having provided the required information, it will be understood that the claim has been waived.

Once the complete claim is received, a legend reading “claim in process” will be included in the Database, with the respective reason thereof, within a term not exceeding two (2) business days. Said legend must be maintained until the claim is settled.

The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. Should it be impossible to address the claim within said term, the interested party will be advised of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first deadline.

Paragraph 1.Rectification and update: When the claims are intended for rectification or updating, the Data Subject must indicate the corrections to be made and attach the documentation that supports their request.

Paragraph 2.Deletion: The deletion of personal data is carried out by means of the total or partial elimination of personal data as requested by the Data Subject, notwithstanding which the Organization may deny it when the Data Subject has a legal or contractual obligation to remain in the Data Base.

Article 14. Revocation of the authorization. Personal Data Subjects may revoke the authorization granted at any time, except for such events in which this is prohibited by a legal or contractual provision.

In any event, the Data Subject must indicate in their request whether it is a total or partial revocation; in the latter case, when only seeking to eliminate any of the purposes for which the Processing was authorized, in which case the Data Subject must indicate the purpose that is to be deleted.

The procedure to revoke authorization will be the same provided for in above Article 13.

Article 15. Data File. The data shall be held in the Organization’s physical files for five (5) years, after which it will be physically deleted and will remain only in the digital files owned by the Organization. The digital file will be held for five (5) years, as of the date in which the physical file is eliminated.


Article 16. Purpose for Personal Data Collection. The Organization collects data in furtherance of its corporate purpose and, therefore, it may be processed, collected, stored, used, updated and transmitted in accordance with that provided for in this Policy and the procedures set out by the Organization for said purposes.


Article 17. Security measures: The Organization shall adopt the technical, human and administrative measures necessary to guarantee the security of personal data subject of processing, thus preventing its adulteration, loss, consultation, use or unauthorized or fraudulent access thereto.

Article 18. Transmission of Personal Data. The Organization is empowered to share the information held with its home offices and affiliates, pursuant to the terms of article 25 of Decree 1377 of 2013.


Article 19. . The Organization designates the Personnel Management Coordinator, who will be in charge of the protection of personal data, will process the requests of Data Subjects, and will ensure the exercise of their rights. The requests for consultation, claims, rectification, updating, deletion, revocation of authorization and any other that is applicable in accordance with that provided for in Law 1581 of 2012, its Regulatory Decree 1377 of 2013 and other related norms, must be addressed to the Organization, at Calle 77A No. 11-32 in Bogota, to the attention of the Personnel Management Coordinator or to his email: carlos_albarracin@sierracol.com

Article 20. Term: This Policy comes into effect as of 18 December 2020.

SierraCol Energy
December, 2020