PLAZOLETA BAZZANI S.A.S.

PERSONAL DATA PROCESSING AND PROTECTION POLICY

NOVEMBER 2017

PERSONAL DATA PROCESSING POLICY

In compliance with the provisions of Statutory Law 1581 of 2012 and its Regulatory Decrees, the company PLAZOLETA BAZZANI S.A.S., establishes the General and Special Policies applicable to the Treatment and Protection of Personal Data in the organization.

1. IDENTIFICATION OF THE RESPONSIBLE

• NAME OF THE COMPANY: PLAZOLETA BAZZANI S.A.S., a commercial company identified with NIT. No. 860.040.407 - 5, is a Colombian company with a commercial activity of cultivation of cut flowers.

• PHYSICAL ADDRESS: Autopista Medellín Km 20, Facatativa, Colombia.

• WEBSITE: www.laplazoleta.com

• PHONE: (+57) (1) 891 1919.

2. OBJECTIVE

This Policy establishes the general guidelines for the protection and processing of personal data within PLAZOLETA BAZZANI S.A.S., thus allowing to strengthen the level of trust between the Responsible and Owners about the processing of your information; Informing the Holders of the purposes and transfers to which their data are subjected and the mechanisms and forms for the exercise of their rights.

3. SCOPE This Policy for the Treatment and Protection of Personal Data will be applied to all databases and/or files that include personal data that are subject to treatment by PLAZOLETA BAZZANI S.A.S., as Responsible for the treatment of personal data.

4. DEFINITIONS

• Habeas Data: The right of every person to know, update and rectify the information that has been collected about them in files and data banks of a public or private nature. • Personal data: Any information linked to or that can be associated with one or more determined or determinable natural persons.

• Sensitive personal data: Those data are those that affect the privacy of the Holder or whose improper use can generate discrimination of it. • Database: Organized set of personal data that is subject to treatment.

• Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion. • Authorization: Prior, express and informed consent of the Holder to carry out the processing of personal data.

• Privacy Notice: It is the physical, electronic document or in any other format known or to be known, which is made available to the Owner in order to inform about the processing of her personal data. • Holder: Natural person whose personal data is subject to treatment. • Successor in title: Person who, by succession or transmission, acquires the rights of another person. • Data Controller: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or data processing. • Treatment Manager: Natural or legal person, public or private, who, by itself or in association with others, performs the processing of personal data on behalf of the Treatment Manager.

5. APPLICABLE GUIDING PRINCIPLES REGARDING PERSONAL DATA

In terms of personal data protection, the following guiding principles will apply: a) Principle of legality in terms of data processing: The treatment referred to in the Habeas Data Law is a regulated activity that must be subject to what is established in it and in the other provisions that develop it. b) Principle of purpose: The treatment must obey a legitimate purpose in accordance with the Constitution and the law, which must be informed to the Holder. c) Principle of freedom: The treatment can only be exercised with the prior, express and informed consent of the Holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent. d) Principle of veracity or quality: The information subject to treatment must be truthful, complete, exact, updated, verifiable and understandable. The processing of partial, incomplete, fragmented or misleading data is prohibited. e) Principle of transparency: In the treatment, the right of the Holder to obtain from the person in charge of the treatment or the person in charge of the

treatment, at any time and without restrictions, information about the existence of data that concerns you. f) Principle of access and restricted circulation: The treatment is subject to the limits derived from the nature of the personal data, the provisions of the law and the Constitution. In this sense, the treatment can only be done by persons authorized by the Owner and/or by the persons provided for by law. Personal data, except public information, may not be available on the Internet or other means of disclosure or mass communication, unless access is technically controllable to provide restricted knowledge only to the Holders or third parties authorized by law. g) Principle of security: The information subject to treatment by the person in charge of the treatment or in charge of the treatment referred to in the Habeas Data Law, must be handled with the technical, human and administrative measures that are necessary to grant security to the records. avoiding its adulteration, loss, consultation, use or unauthorized or fraudulent access. h) Principle of confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks that comprise the treatment, being able to only carry out supply or communication of personal data when this corresponds to the development of activities authorized by law and in the terms thereof.

6. RIGHTS OF THE HOLDERS The Holders of personal data will enjoy the following rights, and those granted by law: a) Know, update and rectify their personal data before the person in charge of the treatment or those in charge of the treatment. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data, or those whose treatment is expressly prohibited or has not been authorized; b) Request proof of the authorization granted to the person in charge of the treatment except when expressly excepted as a requirement for the treatment.

c) Be informed by the person in charge of the treatment or the person in charge of the treatment, upon request, regarding the use that has been given to their personal data; d) Submit complaints to the Superintendence of Industry and Commerce for violations of the provisions of the law and other regulations that modify, add or complement it; e) Revoke the authorization and/or request the deletion of the data when the principles, rights and constitutional and legal guarantees are not respected in the treatment. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the treatment the Responsible or Person in Charge has incurred in conduct contrary to the law and the Constitution; f) Free access to your personal data that has been processed.

7. AUTHORIZATION OF THE HOLDER OF PERSONAL DATA Without prejudice to the exceptions provided in Statutory Law 1581 of 2012, as a general rule in the processing of personal data, PLAZOLETA BAZZANI S.A.S., will collect the prior and informed authorization of the Holder, which may be obtained by any means that may be subject to subsequent consultation. 7.1 Events in which authorization is not necessary The authorization of the Holder will not be necessary in the case of: a) Information required by a public or administrative entity in the exercise of its legal functions or by court order; b) Data of a public nature; c) Cases of medical or health emergency; d) Treatment of information authorized by law for historical, statistical or scientific purposes; e) Data related to the Civil Registry of Persons.

8. DEBERES DE PLAZOLETA BAZZANI S.A.S., COMO RESPONSABLE DEL TRATAMIENTO DE DATOS PERSONALES 

PLAZOLETA BAZZANI S.A.S., como Responsable del tratamiento de datos personales, cumplirá los siguientes deberes: 

  1. a) Garantizar al Titular, en todo tiempo, el pleno y efectivo ejercicio del derecho de hábeas data

  1. b) Solicitar y conservar, en las condiciones previstas en la ley, copia de la respectiva autorización otorgada por el Titular.

  2. c) Informar debidamente al Titular sobre la finalidad de la recolección y los derechos que le asisten por virtud de la autorización otorgada.

  3. d) Conservar la información bajo las condiciones de seguridad necesarias para impedir su adulteración, pérdida, consulta, uso o acceso no autorizado o fraudulento.

  4. e) Garantizar que la información que se suministre al Encargado del tratamiento sea veraz, completa, exacta, actualizada, comprobable y comprensible.

  5. f) Actualizar la información, comunicando de forma oportuna al Encargado del tratamiento, todas las novedades respecto de los datos que previamente le haya suministrado y adoptar las demás medidas necesarias para que la información suministrada a este se mantenga actualizada.

  6. g) Rectificar la información cuando sea incorrecta y comunicar lo pertinente al Encargado del tratamiento.

  7. h) Suministrar al Encargado del tratamiento, según el caso, únicamente datos cuyo tratamiento esté previamente autorizado de conformidad con lo previsto en la presente ley.

  8. i) Exigir al Encargado del tratamiento en todo momento, el respeto a las condiciones de seguridad y privacidad de la información del Titular.

  9. j) Tramitar las consultas y reclamos formulados en los términos señalados en la Ley Estatutaria 1581 de 2012.

  10. k) Adoptar un manual interno de políticas y procedimientos para garantizar el adecuado cumplimiento de la ley y en especial, para la atención de consultas y reclamos.

  11. l) Informar al Encargado del tratamiento cuando determinada información se encuentra en discusión por parte del Titular, una vez se haya presentado la reclamación y no haya finalizado el trámite respectivo.

  12. m) Informar a solicitud del Titular sobre el uso dado a sus datos.

  13. n) Informar a la autoridad de protección de datos cuando se presenten violaciones a los códigos de seguridad y existan riesgos en la administración de la información de los Titulares.

  14. o) Cumplir las instrucciones y requerimientos que imparta la Superintendencia de Industria y Comercio.

9. SPECIFIC POLICIES FOR THE PROCESSING OF PERSONAL DATA.

9.1 Treatment of personal data of Workers

PLAZOLETA BAZZANI S.A.S., collects the personal data of its Workers who are qualified by the company as reserved, and

They will only be disclosed by the company with the express authorization of the owner or when a Competent Authority requests it.

The purposes for which the personal data of the company's workers are used will be:

a) Comply with the obligations imposed by Colombian labor law on employers, or the orders issued by the competent Colombian authorities;

b) Issue certifications regarding the relationship of the owner of the data with the company.

c) Comply with the obligations imposed on the company as an employer, in relation to Occupational Health and Safety standards, and the so-called Occupational Health and Safety Management System (SG-SST).

d) Manage the functions performed by the workers.

e) Consult memorandums or calls for attention.

f) Develop and apply the disciplinary process.

g) Contact relatives in cases of emergency.

h) The others specifically established in the authorizations that are granted by the workers.

PLAZOLETA BAZZANI S.A.S. stores the personal data of its workers, including those obtained during the selection process, and keeps them in a folder identified with the name of each one of them.

You will only have access to such folder and it will be processed by the Human Resources Area, in order to manage the contractual relationship between PLAZOLETA BAZZANI S.A.S. and the employee.

PLAZOLETA BAZZANI S.A.S. treats sensitive data of its workers such as fingerprints with the sole purpose of controlling the time of entry to the company's facilities and providing safe work environments. For the purposes of this treatment, the respective authorization is collected, which in any case will be express and optional, clearly indicating the sensitive data being processed and its purpose.

Likewise, it will have high security systems for the handling of sensitive data and its reservation, on the understanding that such sensitive data will only be used by PLAZOLETA BAZZANI S.A.S., for the aforementioned purposes.

Once the employment relationship has ended, PLAZOLETA BAZZANI S.A.S. will proceed to store all the personal data obtained from the selection process and the documentation generated in the development of the employment relationship, in a central file with restricted access, subjecting the information to adequate security measures and levels at all times, given that the employment information may contain sensitive data.

In any case, the information will not be processed for a period exceeding twenty (20) years from the termination of the employment relationship, or according to the legal or contractual circumstances that make it necessary to handle the information.

9.2 Processing of personal data of Shareholders

PLAZOLETA BAZZANI S.A.S., collects the personal data of its Shareholders and stores them in a database which is qualified by the company as reserved, and which will only be disclosed by the company with the express authorization of the owner or when a Competent Authority so I requested.

The purposes for which the personal data of PLAZOLETA BAZZANI S.A.S. Shareholders are used will be:

a) Allow the exercise of the duties and rights derived from the quality of Shareholder;

b) Send invitations to events scheduled by the company and in general contact the Shareholder;

c) Issue certifications related to the relationship of the owner of the data with The Company;

d) The others specifically established in the authorizations that are granted by the Shareholders.

In any case, the information will not be processed for a period longer than the person is a Shareholder of the company, and the additional time required in accordance with the legal or contractual circumstances that make the handling of the information necessary.

Finally, access to such personal information will be carried out in accordance with the provisions of the Commercial Code and other regulations that regulate the matter.

9.5 Treatment of personal data of Estudiantes PLAZOLETA BAZZANI S.A.S., within its labor welfare programs, provides its workers whose minor children are part of early childhood support as a kindergarten together with Family Welfare. By virtue of this, it stores and collects data from minors, with the sole purpose of fulfilling and developing its programs and the different activities of the kindergarten, so that in compliance with the General Regime of Habeas Data, the kindergarten collects the authorization for the processing of personal data of minors by their parents and/or their legal representatives.

The purposes for which the personal data of minors are used by PLAZOLETA BAZZANI S.A.S. they will be:

a) Carry out the fulfillment of the labor welfare programs that are the object of the kindergarten.

b) Advance the management of the academic, disciplinary and administrative processes of the minor as a kindergarten student.

c) Communicate with the student's relatives in case of emergency or when the behavior of the minor requires it.

d) Issue the respective certificates and records.

e) Carry out psychological follow-up when the student requires it, prior communication to the parents. In any case, the information will not be processed for a period longer than the duration of the student's relationship with the kindergarten or in accordance with the legal or contractual circumstances that make it necessary to handle the information. Similarly, PLAZOLETA BAZZANI S.A.S., will implement security mechanisms that prevent its modification, alteration, deletion, deletion, improper access and others that allow the processing of personal data of minors.

9.6 Processing of personal data of Suppliers and/or Contractors

PLAZOLETA BAZZANI S.A.S., collects the personal data of its Suppliers and/or Contractors and stores them in a database which, although it is made up mostly of public data, is qualified by the company as reserved, and that in the case of private data, will only be revealed by the company with the express authorization of the owner or when a Competent Authority requests it.

The purposes for which the personal data of PLAZOLETA BAZZANI S.A.S. Suppliers and/or Contractors are used will be:

a. Sending invitations to contract and carrying out procedures for the pre-contractual, contractual and post-contractual stages.

b. Sending invitations to events scheduled by the Company or its affiliates.

c. The others specifically established in the authorizations that are granted by the suppliers and/or Contractors themselves.

PLAZOLETA BAZZANI S.A.S., will only collect from its suppliers and/or contractors the data that is necessary, pertinent and not excessive for the purpose of selection, evaluation and execution of the corresponding contract.

The collection of personal data of workers of suppliers and / or Contractors by PLAZOLETA BAZZANI S.A.S., will in any case have the purpose of verifying the suitability and competence of the workers; that is, once this requirement has been verified, PLAZOLETA BAZZANI S.A.S., will return such information to the Supplier and/or Contractors, except when its conservation is expressly authorized.

In any case, the information will not be processed for a period exceeding the duration of the Supplier's relationship with the company, and the additional time required in accordance with the legal or contractual circumstances that make it necessary to handle the information. .

9.7 Treatment of personal data of Visitors in the Entrance Control

PLAZOLETA BAZZANI S.A.S., collects the personal data of its visitors and stores them in a database which is qualified by the company as reserved, and will only be disclosed by the company with the express authorization of the owner or when a Competent Authority requests it. .

The purposes for which the personal data of those who enter the facilities of PLAZOLETA BAZZANI S.A.S. are used, will be:

a) Ensure the entry to the company's facilities to people who have the authorization of free transit and restrict the passage to those people who are not authorized.

b) Guarantee security in monitored environments.

c) Allow adequate work environments for the safe development of activities within the company.

In any case, the information will not be processed for a period exceeding one (1) year from its collection in accordance with the legal or contractual circumstances that make it necessary to handle the information.

  1. 9.8 Tratamiento de datos personales de Registro de Videovigilancia

PLAZOLETA BAZZANI S.A.S., recolecta datos biométricos de sus trabajadores y visitantes a través de sus Cámaras de Vigilancia y los almacena en una base de datos la cual es calificada por la compañía como de reserva, y solo será revelada con la expresa autorización del titular o cuando una Autoridad Competente lo solicite. 

Las finalidades para las cuales son utilizadas los datos personales contenidos en las Cámaras de Vigilancia de PLAZOLETA BAZZANI S.A.S., serán: 

  1. a) Garantizar la seguridad en los ambientes laborales.

  2. b) Permitir ambientes de trabajo adecuados para el desarrollo seguro de actividades laborales de la compañía.

  3. c) Controlar el ingreso, permanencia y salida de trabajadores, contratistas, clientes, proveedores, y terceros en general, en las instalaciones de la empresa.

Para cumplir con el deber de información que le corresponde a PLAZOLETA BAZZANI S.A.S., como administrador de datos personales, la empresa implementará Avisos de Privacidad en las zonas en donde se realice la captura de imágenes que impliquen tratamiento de datos personales. 

En todo caso, la información no será objeto de tratamiento por un período superior a quince (15) días contados a partir de su recolección de acuerdo con las circunstancias legales o contractuales que hacen necesario el manejo de la información. 

10 TRANSFER AND INTERNATIONAL TRANSMISSION OF PERSONAL DATA The company does not currently carry out International Transmission or Transfer of personal data. In the event that the company decides to carry out the International Transfer of personal data, in addition to having the express and unequivocal authorization by the Owner, PLAZOLETA BAZZANI S.A.S. It will ensure that the action provides adequate levels of data protection and meets the requirements set in Colombia by Statutory Law 1581 of 2012 and its regulatory decrees. On the other hand, when PLAZOLETA BAZZANI S.A.S. decides to carry out International Data Transmission, it may do so without the authorization of the owners, as long as it guarantees the security of the information, confidentiality and the conditions that regulate the scope of the data processing, in accordance with article 10 of Law 1581 of 2012 .

11 DATA OF CHILDREN AND ADOLESCENTS PLAZOLETA BAZZANI S.A.S. does not directly process the personal data of minors. However, in a particular way, the company collects and processes the personal data of the minor children of its workers, with the sole purpose of complying with the obligations imposed by law on employers about affiliations to the social security system. and parafiscal and in particular,, to allow the enjoyment of the fundamental rights of children to health, education, and recreation. In any case, PLAZOLETA BAZZANI S.A.S. will collect, when appropriate, the respective authorization for its treatment, always bearing in mind the best interests of the minor and respect for the prevailing rights of children and adolescents.

12 PROCEDURE FOR THE ATTENTION OF INQUIRIES, CLAIMS, AND PETITIONS, AND MECHANISMS TO EXERCISE THE RIGHTS OF THE HOLDERS

The Holder, his successors in title, the representative and/or proxy of it, or whoever is determined by stipulation in favor of another; You can exercise your rights by contacting us through written communication addressed to the area responsible for the protection of personal data in the company, ACCOUNTING. The communication can be sent to the following email

email accounting@laplazoleta.com, auxiliarycontable2@laplazoleta.com, or through written communication at Autopista Medellín Km 20, Facatativá, Colombia.

12.1 Consultations The personal information of the Holder that resides in the PLAZOLETA BAZZANI S.A.S. databases may be consulted, and the company will be in charge of supplying all the information contained in the individual record, or that is linked to the identification of the applicant. Once the company receives the query, it will be answered within a maximum term of ten (10) business days from the date of receipt of the query. When it is not possible to attend the query within said term, the interested party will be informed, stating the reasons for the delay and indicating the new date on which such query will be attended, which in no case may exceed five (5) business days following upon expiration of the first term.

12.2 Claims When it is considered that the information contained in a database of PLAZOLETA BAZZANI S.A.S. must be corrected, updated or deleted, or when the alleged breach of any of the duties contained in the Habeas Data Law is noticed, a claim may be filed with PLAZOLETA BAZZANI S.A.S., which will be processed under the following rules: 1. The claim will be made by written communication addressed to PLAZOLETA BAZZANI S.A.S., with the identification of the Holder, the description of the facts that give rise to the claim, the address, and accompanying the documents that you want to assert. If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has withdrawn the claim. In the event that PLAZOLETA BAZZANI S.A.S. receives a Claim for which it is not competent to resolve it, the company will transfer it to the appropriate person within a maximum term of two (2) business days and will inform the Holder.

2. Once the complete claim is received, the company will include in the respective database a legend that says "claim in process" and the reason for it, within a term not exceeding two (2) business days. The company will keep said legend in the data object of discussion until the claim is decided. 3. The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is impossible to address the claim within said term, the company will inform the Holder of the reasons for the delay and the new date on which his claim will be addressed, which in no case may exceed eight (8) business days following the due date. of the first term.

12.3 Procedural requirement The Holder, his successors in title, his representative and/or proxy, or whoever is determined by stipulation in favor of another; You can only file a complaint with the Superintendence of Industry and Commerce for the exercise of your rights once you have exhausted the process of Consultation or Claim directly with the company.

12.4 Request for updating and/or rectification

PLAZOLETA BAZZANI S.A.S. will rectify and update, at the request of the holder, the information that is inaccurate or incomplete, according to the procedure and the terms indicated above, for which the Holder must submit the request according to the channels provided by the company, indicating the update and rectification of the data and in turn must provide the documentation that supports such request.

12.5 Revocation of the authorization and/or deletion of the Data

The Holder may at any time revoke the consent or authorization given for the processing of his personal data, as long as there is no impediment enshrined in a legal or contractual provision.

Likewise, the Holder has the right to request PLAZOLETA BAZZANI S.A.S. at all times, the deletion or elimination of his personal data when:

a) Consider that they are not being treated in accordance with the principles, duties and obligations set forth in current regulations.

b) They are no longer necessary or relevant for the purpose for which they were obtained.

c) The time necessary for the fulfillment of the purposes for which they were obtained has been fulfilled.

Such suppression implies the total or partial elimination of the personal information, in accordance with the request of the owner in the records, files, databases or treatments carried out by PLAZOLETA BAZZANI S.A.S.

The cancellation right is not absolute and therefore PLAZOLETA BAZZANI S.A.S. may deny revocation of authorization or deletion of personal data in the following cases:

a) The owner has a legal or contractual duty to remain in the database.

b) The elimination of data hinders judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.

c) The data is necessary to protect the legally protected interests of the owner; to carry out an action based on the public interest, or to comply with an obligation legally acquired by the owner.

13 MODIFICATION OF THE POLICIES

PLAZOLETA BAZZANI S.A.S. reserves the right to modify the Personal Data Treatment and Protection Policy at any time. However, any modification will be communicated in a timely manner to the owners of the personal data through the usual means of contact ten (10) business days prior to its entry into force.

In the event that a holder does not agree with the new General or special Policy and with valid reasons that constitute a just cause for not continuing with the authorization for the processing of personal data, the Holder may request the company to withdraw of your information through the channels indicated in Chapter 12. However, the Holders may not request the withdrawal of their personal data when the company has a legal or contractual duty to process the data.

14 VALIDITY

This Policy is effective as of November 1, 2017.