Scope

This Personal Data Protection Policy shall apply to all Databases and/or Files containing Personal Data subject to Processing by BeGo Colombia S.A.S., acting as the controller and/or processor of Personal Data (hereinafter, the “COMPANY”).

Identification of the Data Controller

BeGo Colombia S.A.S., a company domiciled at Cl 86a No. 14 – 63, Bogotá, D.C., Colombia.

Email: royalenfield@begocolombia.com.

Definitions

Authorization: Prior, express, and informed consent granted by the Data Subject for the Processing of Personal Data.

Privacy Notice: Verbal or written communication issued by the Controller to the Data Subject regarding the Processing of their Personal Data, informing them of the applicable Information Processing Policies, how to access them, and the purposes of the intended Processing.

Database: Organized set of Personal Data subject to Processing.

Personal Data: Any information linked to or that may be associated with one or more identified or identifiable natural persons.

Data Processor: Natural or legal person, public or private, who by itself or in association with others processes Personal Data on behalf of the Data Controller.

Data Controller: Natural or legal person, public or private, who by itself or in association with others decides on the Database and/or the Processing of data.

Terms and Conditions: General framework establishing the conditions applicable to participants in promotional or similar activities.

Data Subject: Natural person whose Personal Data is subject to Processing.

Processing: Any operation or set of operations performed on Personal Data, such as collection, storage, use, circulation, or deletion.

Transfer: Occurs when the Data Controller and/or Processor located in Colombia sends Personal Data to a recipient who is also a Controller, whether located inside or outside Colombia.

Transmission: Processing of Personal Data involving communication of the data within or outside Colombia when carried out by a Processor on behalf of the Controller.

Processing of Personal Data

The COMPANY, acting as Data Controller and/or Processor, collects, stores, uses, circulates, and deletes Personal Data of natural persons with whom it has or has had relationships, including but not limited to employees and their families, shareholders, consumers, clients, distributors, suppliers, creditors, and debtors, for the proper development of its business activities and the strengthening of relationships with third parties.

Purpose of Processing

• To send information to employees and their families.
• To provide health services to beneficiaries among employees’ family members.
• To recognize, protect, and exercise shareholders’ rights.
• To strengthen relationships with consumers and clients through relevant communications, order processing, customer service requests, quality evaluations, and invitations to events organized or sponsored by the COMPANY.
• To interact with distributors, verify compliance with distribution standards and legal obligations, and invite them to COMPANY events.
• To ensure timely and quality supply with suppliers through selection processes, compliance evaluations, and event invitations.
• To verify balances with creditors.
• To determine outstanding obligations, consult financial and credit history information, and report unpaid obligations to credit bureaus.
• To improve, promote, and develop the COMPANY’s products and those of its globally affiliated companies.
• For marketing, statistical, research, and other commercial purposes not contrary to Colombian law.
• To respond to judicial or administrative requirements and comply with legal mandates.
• To contact natural persons by email or other means for the purposes listed above.

Rights of Data Subjects

• To know the Personal Data being processed by the COMPANY.
• To request updates, corrections, or rectifications of their data.
• To request proof of the Authorization granted to the COMPANY.
• To be informed, upon request, of the use given to their Personal Data.
• To file complaints before the Colombian Superintendence of Industry and Commerce for violations of Data Protection regulations.
• To request the deletion of their Personal Data and/or revoke the Authorization granted, when legally applicable.
• To access their Personal Data free of charge.

Area Responsible for Implementation and Compliance

The administrator of BeGo Colombia S.A.S. is responsible for the development, implementation, training, and observance of this Policy.

All personnel processing Personal Data in the different areas of the COMPANY must report these Databases to the company management and immediately forward all requests, complaints, or claims submitted by Data Subjects.

The administrator of BeGo Colombia S.A.S. has also been designated as the area responsible for handling requests, consultations, complaints, and claims through which Data Subjects may exercise their rights to know, update, rectify, delete data, and revoke Authorization.

Authorization

The COMPANY must request prior, express, and informed Authorization from Data Subjects before carrying out the Processing of their Personal Data.

Prior Authorization means consent must be obtained no later than at the time the Personal Data is collected.

Express Authorization means the Data Subject’s consent must be explicit and specific. Open-ended or non-specific authorizations are not valid.

This consent may be granted through written, oral, or unequivocal conduct mechanisms made available by the COMPANY.

The COMPANY will never interpret silence as unequivocal conduct. The Authorization must always be retained for future consultation.

Informed Authorization means that, when requesting consent, the Data Subject must be clearly informed of:

• The Personal Data to be collected.
• The identity and contact details of the Controller and Processor.
• The specific purposes of the Processing.
• The rights they hold as Data Subject.
• The optional nature of responses concerning sensitive data or the data of children and adolescents.

Special Provisions for Sensitive Personal Data

According to Colombian Data Protection Law, sensitive data includes information affecting privacy or whose misuse may lead to discrimination, such as data related to racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions or social organizations, health, sexual life, and biometric data.

The Processing of sensitive Personal Data is prohibited unless the COMPANY has the Data Subject’s express, prior, and informed Authorization, among other legal exceptions.

• The Data Subject must be informed that they are not required to authorize the Processing of sensitive data.
• The Data Subject must be informed which data is sensitive and the purpose of its Processing.

No activity may be conditioned on the Data Subject providing sensitive Personal Data.

Special Provisions for the Personal Data of Children and Adolescents

The COMPANY will only process Personal Data of children and adolescents when such Processing responds to and respects their best interests and guarantees their fundamental rights.

Once these requirements are met, the COMPANY must obtain Authorization from the legal representative of the child or adolescent, after ensuring the minor’s right to be heard, taking into account their maturity, autonomy, and capacity to understand the matter.

Procedure for Requests, Consultations, Complaints, and Claims

Data Subjects whose Personal Data is being collected, stored, used, or circulated by the COMPANY may exercise their rights to know, update, rectify, and delete information and revoke Authorization at any time.

Requests and Consultations

Data Subjects or their successors may request:

• Information regarding the Personal Data subject to Processing.
• Proof of the Authorization granted to the COMPANY.
• Information on the use given to their Personal Data.

Requests may be submitted to:

• BeGo Colombia S.A.S., Cl 86a No. 14 – 63, Bogotá, D.C., Colombia.
• Email: royalenfield@begocolombia.com.

Requests and consultations will be answered within a maximum of ten (10) business days from receipt. If it is not possible to respond within this period, the interested party will be informed of the reasons for the delay and the response date, which may not exceed five (5) additional business days.

Complaints and Claims

Data Subjects or their successors may file complaints or claims to request:

• Correction or updating of information.
• Deletion of Personal Data or revocation of Authorization.
• Correction of any alleged breach of the obligations contained in Data Protection Law.

The request must include a description of the facts, contact details of the applicant, and any supporting documents.

Complaints and claims may be submitted to:

• BeGo Colombia S.A.S., Cl 86a No. 14 – 63, Bogotá, D.C., Colombia.
• Email: royalenfield@begocolombia.com.

If incomplete, the COMPANY will request correction within five (5) business days. If the applicant fails to provide the required information within two (2) months, the complaint or claim will be deemed withdrawn.

Once a complete complaint or claim is received, a note stating “claim in process” and the reason for it will be included in the Database within no more than two (2) business days, and will remain until the matter is resolved.

The maximum term to resolve a complaint or claim is fifteen (15) business days from the day following receipt. If this is not possible, the interested party will be informed of the reasons for the delay and the new response date, which may not exceed eight (8) additional business days.

Information Collected Passively

When using services available on the COMPANY’s websites, the COMPANY may passively collect information through technologies such as cookies, including hardware and software information, IP address, browser type, operating system, domain name, access time, and referring website addresses.

These tools do not directly collect users’ Personal Data. Information may also be collected about the pages most frequently visited in order to understand browsing habits.

Users may configure the operation of cookies according to their browser settings.

Security of Personal Data

In strict application of the Security Principle in Personal Data Processing, the COMPANY will adopt the technical, human, and administrative measures necessary to protect records against alteration, loss, consultation, unauthorized use, or fraudulent access.

The COMPANY’s obligation and responsibility are limited to providing appropriate means for this purpose. The COMPANY does not guarantee absolute security of information and shall not be liable for consequences arising from technical failures or improper access by third parties to the Databases or Files where Personal Data is stored.

The COMPANY will require its service providers acting as Processors to adopt and comply with appropriate security measures for the protection of Personal Data.

Transfer, Transmission, and Disclosure of Personal Data

The COMPANY may disclose Personal Data to its affiliated companies worldwide for use and Processing in accordance with this Personal Data Protection Policy.

The COMPANY may also provide Personal Data to third parties not affiliated with the COMPANY when:

• They are contractors engaged in agreements for the development of the COMPANY’s activities.
• A business line related to the information is transferred under any title.

In all agreements for the transmission of Personal Data entered into between the COMPANY and the Data Processors, it shall be required that the information be processed in accordance with this Policy and that the Processor undertake the following obligations:

• Process Personal Data on behalf of the COMPANY in accordance with the principles governing such data.
• Safeguard the security of the databases containing Personal Data.
• Maintain confidentiality regarding the Processing of Personal Data.

Applicable Legislation

This Personal Data Protection Policy and the Privacy Notice are governed by the applicable legislation on the protection of Personal Data, including Article 15 of the Political Constitution of Colombia, Law 1581 of 2012, Decree 1074 of 2015, and any regulations that amend, repeal, or replace them.

Effective Date

This Personal Data Protection Policy is effective as of November 1, 2016.