RAD/DF Personal Data Processing Policy

2. Applicable Legislation

This policy is based on the principles and other parameters established in: (i) Article 15 of the Political Constitution of Colombia, (ii) Law 1266 of 2008, (iii) Law 1581 of 2012, (iv) Decree 1074 of 2015, and any regulations that modify, add to, develop, or complement them.

3. Definitions

The Policy should be interpreted considering the following definitions as determined by the Colombian Personal Data Protection Regime:

a) Authorization: Prior, express, and informed consent of the Data Subject for processing personal data; b) Database: An organized set of personal data that is subject to Processing. RAD/DF has databases to which the provisions of Law 1581 of 2012 and its Regulatory Decree 1377 of 2013 apply; c) Candidate(s): Individuals who have received an offer from the Firm or are involved in a selection process as potential employees. This also refers to potential clients of RAD/DF; d) Client(s): Any person receiving legal services from the Controller to meet a personal, private, family, domestic, or business need; e) Personal Data: Any information linked or that can be associated with one or more identified or identifiable natural persons; f) Sensitive Data: Information affecting the privacy of the Data Subject or whose improper use could lead to discrimination, such as racial or ethnic origin, political orientation, health, sexual life, among others; g) Public Data: Information not classified as semi-private, private, or sensitive, such as marital status, profession, or occupation, contained in public records, public documents, among others; h) Processor: The person who processes data on behalf of the Controller; i) Employee(s): A natural person who, by virtue of an employment contract, is obligated to render personal services to another person, natural or legal, under continuous dependence or subordination of the latter and in return for remuneration; j) Controller: The person who decides on the database and/or the Processing of the data; k) Provider(s): Any natural or legal person who provides a service to the company under a contractual/obligational relationship; l) Data Subject: The natural person whose personal data is subject to Processing; m) Processing: Operations on personal data, such as collection, storage, use, circulation, or suppression; n) Transfer: The sending of personal data by the Controller and/or Processor located in Colombia to a recipient, who is responsible for the Processing within or outside the country; o) Transmission: The communication of personal data within or outside Colombian territory by the Processor on behalf of the Controller.

4. Purposes of Processing

It is RAD/DF’s responsibility to collect, store, use, circulate, transmit, and transfer the Personal Data subject to Processing solely for the following specific purposes:

4.1. The purposes for collecting and Processing Clients’ Personal Data are as follows:

a) Execute the contractual relationship between RAD/DF and its Clients; b) Communicate with Data Subjects to send documents or information directly related to the contractual and obligational relationship arising from the provision of legal services; c) Provide Data Subjects with the necessary information through the website or mobile communication applications about the products offered to formalize the commercial relationship; d) Manage billing and debt collection; e) Send and receive text messages, emails, and/or other communications for communicative, advertising, and/or customer service purposes, offering the Controller’s goods and services and maintaining personalized contact with Clients; f) Improve RAD/DF’s commercial and promotional initiatives; g) Identify and process all information provided by Data Subjects in one or more databases; h) Transmit Personal Data to Providers, contractors, logistics operators, and generally third parties to fulfill RAD/DF’s obligations, or transfer them if expressly authorized; i) Collect information for commercial, informational, and marketing campaigns; j) Transmit Clients’ personal data to third parties for compliance with the contractual relationship or for data analysis purposes, or transfer them if expressly authorized; k) Transmit or transfer personal data to (i) carry out credit scoring, income validation tools, predictive income tools, tools to prevent fraud, impersonation, and in general, proper credit risk management and (ii) compare, contrast, and complement it with financial, commercial, credit, service information found in credit information centers and/or operators of financial, commercial, and credit information databases, among others.

4.2. The purposes for collecting and Processing Providers’ Personal Data are as follows:

a) Properly monitor compliance with rights and obligations arising from the contractual relationship to ensure correct execution; b) Carry out administrative, accounting, financial, operational, and logistical aspects related to the development of contractual and tax obligations; c) Perform billing processes, operations aimed at effectiveness, and carry out economic and accounting management, as well as fulfill all tax and debt collection obligations; d) Inventory commercial relationships, verify legal, technical, and financial requirements, and conduct opinion surveys; e) Verify commercial and reputational backgrounds, and potential risks of relationships associated with Money Laundering and Terrorism Financing; f) Report to credit bureaus or other data operators about the correct execution of credit obligations, patrimonial content, and contact details arising from commercial, financial, or socio-economic relationships with the Data Subject; g) Know, store, and process all information provided by Data Subjects in one or more Databases in the format deemed most convenient; h) Transmit Personal Data to service providers, contractors, logistics operators, and generally third parties to fulfill RAD/DF’s obligations, or transfer them if expressly authorized; i) Collect information for commercial and marketing research purposes; j) Transmit Personal Data to third parties to fulfill the contractual relationship or for data analysis purposes, or transfer them if expressly authorized; k) Any other purpose resulting from the development of the present contractual relationship, such as negotiation and/or execution of the contract, service, or any relationship between the Data Subject and RAD/DF.

4.3. The purposes for collecting and Processing Employees’ and/or Candidates’ Personal Data, as well as contractors, are as follows:

a) Perform audits and update the Firm’s systems and Databases; b) Contact the Data Subject to send information related to the employment relationship that they have, have had, or are interested in having with RAD/DF; c) Collect and process all information shared by Data Subjects in one or more Databases; d) Manage data required for paying fees, salaries, social benefits, and other compensations for which the Firm is responsible, according to the legal framework and employment contract; e) Comply with the stipulations of contracts with the Data Subject, which includes any requirement, request, claim, and revocation of Authorization for data Processing; f) Develop procedures for ethical and disciplinary control, such as explanations or warnings, applicable under the relevant internal regulations and other applicable legislation; g) Order, catalog, classify, divide, or separate the information provided by the Data Subject in Databases; h) Organize and implement business activities for the Data Subject within the work environment; i) Fulfill legal information requirements from authorities supervising the Firm’s typical activities, following due process; j) Ensure compliance with the Internal Work Regulations and other internal policies of RAD/DF; k) Verify the credentials stated in the Data Subject’s resume. In case personal and/or commercial references are provided, Data Subjects guarantee that they have obtained prior authorization from these contacts for RAD/DF to reach out to them; l) Prevent any misuse of RAD/DF’s services by the Data Subject; m) Register the information of Employees’ family members to comply with legal obligations; n) Authorize and allow access to RAD/DF’s premises for Employees to perform their job functions; o) Manage Personal Data to fulfill the obligations of the Firm as the Controller, as established by Colombian law; p) Comply with legal duties as an employer, such as preventing money laundering and terrorist financing; q) Verify, compare, and investigate the information provided by the Data Subject with any information RAD/DF has access to through legitimate means; r) Record and use CCTV footage or images as a security mechanism for the Firm’s premises; s) Transmit Personal Data to third parties to fulfill the Firm’s obligations or transfer them if required, only when expressly authorized by the Data Subject; t) Consult, at any time, in databases managed by credit bureaus or other operators, all relevant information to know the Data Subject’s performance as a debtor, their payment capacity, the feasibility of establishing or maintaining a contractual relationship, or any other purpose deriving from the knowledge of this information; u) Transmit Personal Data to third parties to fulfill the contractual relationship or for data analysis purposes, or transfer them if expressly authorized.

5. Authorization for Processing

Processing, including the collection, circulation, and deletion of Data, requires the prior, free, express, and informed consent of the Data Subject, which may be obtained by any means that can be used as proof, such as physical documents, emails, recorded phone calls, etc. Additionally, according to legal provisions, RAD/DF must inform the Data Subject of the following:

a) The nature of the Processing to which their Personal Data will be subjected and its specific purpose. b) The rights they have as Data Subjects. c) The communication channels, such as the website, email, physical address, or others, through which they can submit inquiries and/or complaints to the Controller.

6. Rights of Data Subjects

As stipulated by Colombian law, Data Subjects have the following rights:

a) To know, update, and rectify their Personal Data with the Controllers or Processors. This right can be exercised, among others, with regard to partial, inaccurate, incomplete, fractional data that may lead to error, or data whose Processing is expressly prohibited or has not been authorized; b) To request proof of the authorization granted to the Controller, except when expressly exempted as a requirement for Processing; c) To be informed by the Controller or Processor, upon request, about the use given to their Personal Data; d) To submit complaints to the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 regarding Processing; e) To revoke the authorization and/or request the deletion of the data when Processing does not respect constitutional and legal principles, rights, and guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce determines that the Controller or Processor has engaged in conduct contrary to the law and the Constitution; f) To access their Personal Data that has been subjected to Processing free of charge.

7. Procedure for Exercising Data Subjects’ Rights

Below is the procedure that Data Subjects must follow to exercise their rights over the information stored in the Firm’s Databases according to applicable regulations. It should be noted that, although the rights to access, update, correct, and suppress Authorization are exclusively exercisable by the Data Subject, they can authorize a legal representative or attorney to carry out these processes.

It is important to note that if a request is submitted by someone other than the Data Subject without proof that they are acting on behalf of the Data Subject, the request will be deemed not filed.

i. Requests

To exercise the right to consultation with the Firm, the Data Subject must:

a) Submit a written request to any of the Firm’s service channels (described in section 9 of the Policy), in which the Data Subject must fully identify themselves. b) The request must be clear, complete, and legible, to ensure RAD/DF can provide a comprehensive response. c) It is the Firm’s responsibility to correct and update any incomplete or inaccurate information about the Data Subject, following the procedure and timeframes indicated above. To request the correction and updating of Personal Data, the Data Subject must specify the changes they wish to make and attach documentation supporting their request. d) The Firm has both physical and virtual channels (via email gerencia@raddf.com) for Data Subjects to submit their requests. Those submitting requests in person at the Firm’s offices must do so from 8:00 A.M. to 6:00 P.M. Monday through Friday. e) The Firm will ensure that all requests are addressed within a maximum period of ten (10) business days from the day following their receipt. f) In cases where RAD/DF cannot respond to the request within the initially indicated period, it will inform the interested party of the issue and indicate the new date on which the request will be addressed, which will not exceed five (5) business days after the expiration of the initial period.

ii. Complaints

Likewise, Data Subjects or third parties authorized by them have the right to submit complaints to RAD/DF when they consider it necessary to correct, update, or delete information contained in the Databases, or when they observe a presumed breach of the duties established by the law and the purposes of Processing. To do so, the Data Subject must:

a) Submit a written complaint to any of the Firm’s service channels (described in section 9 of the Policy), signed and accompanied by a copy of the complainant’s identification document. b) The Firm has both physical and virtual channels (via email gerencia@raddf.com) for Data Subjects to submit their complaints. Those submitting requests in person at the Firm’s offices must do so from 8:00 A.M. to 6:00 P.M. Monday through Friday. c) If the complaint is incomplete, the Data Subject, or their representative, will be required to rectify the issues within five (5) days of receiving the complaint. d) After two (2) months from the date of the request without the complainant providing the required information, the complaint will be deemed withdrawn. If the recipient of the complaint is not competent to resolve it, they will refer it to the appropriate party within a maximum of two (2) business days and inform the complainant of the situation. e) Once the complete complaint is received, a legend stating “complaint in process” and the reason for it will be included in the database within no more than two (2) business days. This legend will be maintained until the complaint is resolved. f) According to the law, the maximum period to address such complaints is fifteen (15) business days from the day following its receipt. If it is not possible to resolve the complaint within this period, the interested party will be informed before the term expires of the reasons for the delay and the new date on which the complaint will be addressed, which will not exceed eight (8) business days following the expiration of the first term.

8. Processing of Sensitive Data

RAD/DF will not process Sensitive Data in scenarios other than those authorized by Law 1581 of 2012. However, if the Firm requires the Processing of such data during its operations, RAD/DF will ensure to obtain prior and express consent from the Data Subjects, processing only the data necessary for the proper provision of its services.

In this scenario, the Firm prioritizes its duty to maintain the required confidentiality, especially avoiding any discrimination or violation of the Data Subject’s rights.

9. Contact Information for RAD/DF

For questions about the Policy or any concerns or complaints regarding it, please contact us through the following channels:

Corporate name: RAD ESTRATEGIAS LEGALES S.A.S. NIT: 901.163.686-1 Address: Calle 70 No. 4-36, Bogotá D.C. Phone: (1) 6798510 Email: gerencia@raddf.com Website: https://raddf.com/ Responsible Area: Administrative Management

10. Validity

RAD/DF issued this Policy on April 22, 2024. However, the content of this document may be subject to periodic modification by the Firm. Therefore, it is recommended that Data Subjects consult the website https://raddf.com/ to know the most updated version of the Policy.

Additionally, this policy will remain in effect for the duration of the commercial relationship or any other type of connection that RAD/DF has with the Data Subject, unless otherwise requested by the latter.